Reload one domain in caching DNS server
Hello All I have a quick question, but I am not sure that there is a quick answer. We run one DNS server as a "caching DNS server". All DNS queries from our site are forwarded to this server. It does not host any primary or secondary "zones" and resolves all of its queries from root servers. Thus the answers we get from DNS are generally the same as everyone else on the internet, which helps our support guys give our customers sensible answers. The trouble is when we update one of our domains, we still see the "old" domain data until such time as it expires. How can I force our caching DNS server to reload 1 domain? I don't want to restart bind and force it to reload all of the info it has cached every time we update one domain, because the DNS server builds up quite a history and I think e-mail etc takes a bit of a knock after a reload. (New domains are not a problem, just updates to old ones) Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: mailman & exim
Hello Martin On 28 Aug 2001, at 12:50, Martin WHEELER wrote: > 2001-08-28 12:14:52 15bhjt-SE-00 Neither the system_aliases > director nor the address_pipe transport set a uid for local > delivery of |/var/lib/mailman/mail/wrapper post -l Look in exim.conf for a block similar to this system_aliases: driver = aliasfile file_transport = address_file pipe_transport = address_pipe file = /etc/aliases search_type = lsearch user = list and add the last line "user = list" or perhaps "user = mailman" and see if that helps. Otherwise read the exim documentation. The FAQ on www.exim.org can be very useful. Have fun Ian Forbes - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: portslave
Hello Russell I am busy testing a portslave server to replace my old ancient Cyclades-Y based terminal server. The old one ran mgetty and a pppd patched for radius authentication via the radius client library. The patches have not been updated since pppd version 2.2 and the old machine still has a 2.0 series kernel. I am using portslave 2000-12-24 which I built on potato from a deb source archive a while back and kernel 2.2.19. It seems to work and we will go "live" in a few days. Do you know of a "potato" deb for the latest version, or if you have suggestions on how to get it to compile on potato, please let me know. I ran into problems with an unsupported "debhelper" version. Upgrading debhelper would require upgrading perl, by the time I have done that it wont look like a "potato" system any more. I am also not too sure if I agree with your comments on portslave doing everything than mgetty can do. I had a big battle to get portslave to work with my old modem to modem uucp clients. Regards Ian On 5 Oct 2001, at 16:02, Russell Coker wrote: > On Thu, 4 Oct 2001 17:34, Cathedral wrote: > > I`m configuring one board cylades cyclom-y and got all the board configured > > but now i can`t set the modens to work, i`ve configured the radius-client > > to authenticat on my radius-server and start pppd automaticaly. > > I have put a line like that on inittab > > > > > > C0:23:respawn:/sbin/getty -I ' AT OK AT&W0' ttyC0 (also with /dev/) > > 9600 -l path_to_radlogin/radlogin > > The modem answers the line but my win98 clients doesn`t connect do nybody > > can help me about that,i`m getting really desperated. > > That will only work for terminal authentication (the default for Windows is > AutoPPP). Also are you sure that your "-I" parameter is correct? The > documentation for the version of getty that I use doesn't indicate support > for chat scripts. > > Why not use Portslave? It answers the phone and supports full chatscript > functionality for modem configuration etc. Portslave presents a "login:" > prompt and authenticates with a RADIUS server. It also recognises AutoPPP > sequences and runs pppd with a special module so that the pppd will talk to > the RADIUS server for authentication. When the connection is finished the > details of bytes and packets transferred will be logged to the RADIUS server. > > Also Portslave supports a variety of options for running ssh, telnet, or > rlogin connections based on what the RADIUS server specifies. > > > Anything that can be done by getty, mgetty, radius-client, etc can be done > better by Portslave. > > Another thing, currently there are two active Portslave developers, me and a > Cyclades employee (the Cyclades TS4000 type boxes run a derivative of my > 2000-12-25 release). Run the latest Portslave from unstable and you get most > of the features of the high-end Cyclades terminal server boxes, plus some > features that haven't yet been copied into the Cyclades tree. > > -- > http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark > http://www.coker.com.au/postal/ Postal SMTP/POP benchmark > http://www.coker.com.au/projects.html Projects I am working on > http://www.coker.com.au/~russell/ My home page > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: portslave
Hello Russell On 9 Oct 2001, at 0:02, Russell Coker wrote: > On Mon, 8 Oct 2001 16:36, I. Forbes wrote: > The versions before 2001-06-20 all sucked in various ways. It was only in > the 2001-06-20 version that I really got the source under control. > > > Do you know of a "potato" deb for the latest version, or if you have > > suggestions on how to get it to compile on potato, please let me > > know. I ran into problems with an unsupported "debhelper" version. > > Upgrading debhelper would require upgrading perl, by the time I > > have done that it wont look like a "potato" system any more. > > Hopefully I'll have one for you tomorrow. I'll try and back-port the main > ppp package at the same time. Then you'll get the latest pppd along with the > Portslave that uses the regular pppd (saves memory). Thanks, I am looking forward to that. How does portslave work with pppd, and which versions of pppd (patched or unpatched) do you need for kernel 2.2 (which I am still running) and kernel 2.4 (which will be the next upgrade) > > I am also not too sure if I agree with your comments on portslave > > doing everything that mgetty can do. I had a big battle to get > > portslave to work with my old modem to modem uucp clients. > > Tell me exactly what you were trying to do and how it failed, if the current > version can't handle it easily then I'll add some new features. With mgetty I had a line in my mgetty (on one line): U* uucp@ /usr/bin/ssh -t -e none [EMAIL PROTECTED] /usr/sbin/uucico -l -u @ The uucp clients were not in the radius server at all. This started a session on our uucp server which did the authentication. Now I have in pslave.conf conf.ssh/etc/portslave/scripts/ssh-script And the file referenced above looks like this (mind the line wrap): #! /bin/bash # su uucp -c "/usr/bin/ssh -t -e none [EMAIL PROTECTED] /usr/sbin/uucico -x3 -u $LOGNAME" I have now added all my uucp accounts to radius, with the following settings: User-Service-Type = Login-User, Login-Service = Ssh The uucp server still has a duplicate authentication list as it accepts lots of connections over tcp/ip. Fortunately we have not sold a uucp for "modem to modem" use for over 2 years (we still sell lots of uucp over tcp/ip - but that does not effect portslave), so these are legacy clients and we only have to fiddle with the radius stuff when they close. Another comment. Portslave locks the serial port. With mgetty it is still posible to use the port for dialing out, and even for faxing. So with the a small multipurpose installations, mgetty may have advantages over portslave. > Also the recent versions have many more features regarding logins other than > PPP/SLIP, whatever your problem was I'm sure it's a lot easier to solve now > than a year ago! Is it possible to call up the patched pppd from mgetty and use radius authentication and accounting? It would be realy nice if the above were true. It would also be nice if we could combine mgetty with features of faxgetty from the hylafax package. Then we could have one "answer the modem" package which could be configured to do everything anyone can expect a of a modem. When we get that right, we can start all over again for ISDN ... Thanks for the feedback Regards Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: portslave for potato
Hello Russell I have just tried this on my potato test system. I installed the deb over my old version. I let the install script update my existing plave.conf file but I did not change anything else. The kernel is version 2.2.19 I works fine! Thanks Ian On 9 Oct 2001, at 21:13, Russell Coker wrote: > I have put a copy of the latest portslave compiled for potato online at > http://www.coker.com.au/portslave/ . I don't have a potato system to test it > though... Also it is a new version... > > -- > http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark > http://www.coker.com.au/postal/ Postal SMTP/POP benchmark > http://www.coker.com.au/projects.html Projects I am working on > http://www.coker.com.au/~russell/ My home page > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: portslave for potato
Hello Russell On 9 Oct 2001, at 21:13, Russell Coker wrote: > I have put a copy of the latest portslave compiled for potato online at > http://www.coker.com.au/portslave/ . I don't have a potato system to test it > though... Also it is a new version... I think I have found a bug with this package. We had a major power outage and everything went down. The portslave machine came back up before the radius server. It seems the pppd-radius on the portslave machine got into and endless loop trying to reach the radius server. I got the following errors scrolling very rapidly. t 12 13:42:37 nimbus port[S23]: [EMAIL PROTECTED]:1812 not responding Oct 12 13:42:37 nimbus last message repeated 15 times Oct 12 13:42:37 nimbus port[S26]: [EMAIL PROTECTED]:1812 not responding Oct 12 13:42:37 nimbus last message repeated 9 times Oct 12 13:42:37 nimbus port[S19]: [EMAIL PROTECTED]:1812 not responding Oct 12 13:42:37 nimbus last message repeated 5 times It did not stop after the radius server had come back up again. Eventually I had run "killall -9 pppd-radiusd" to kill all of the stuck processes. After that init restarted the portslaves and it worked fine again. I look forward to your comments. Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: portslave
Hello Russell On 13 Oct 2001, at 19:14, Russell Coker wrote: > I have been thinking of implementing a way of telling Portslave to pass the > port to another program to allow minicom or a FAX transmission to take the > port. I think the answer lies in by-passing radius. If we had a facility like mgetty's "login.config" file which could decide whether to run a radius based program, or a local one instead, the flexibility would go up by an order of magnitude. It would also make hacks like my UUCP one work. Perhaps the same or a similar configuration file could tell portslave how to handle incoming calls detected by the modem as being voice or fax as opposed to data calls. > > Is it possible to call up the patched pppd from mgetty and use > > radius authentication and accounting? > Sure you could have the mgetty detect the PPP frames and run pppd with > appropriate parameters to load the Portslave library. Is there a documentation for the new options on the patched pppd? > > It would be realy nice if the above were true. It would also be nice if > > we could combine mgetty with features of faxgetty from the hylafax > > package. Then we could have one "answer the modem" package > > I've been thinking of doing that. However I have no fax hardware. If > someone suggests which code I should use as a fax code base and is prepared > to test it for me then I'll add fax support to Portslave. In my opinion Hylfax is by far the best fax package. It allows Class 1 or Class 2 modems to be used. Mgetty's fax facility only allows Class 2. As over 90% of domestic quality 56k modems either have no Class 2 support, or Class 2 that is so buggy that it is not worth using this is a big plus factor. (Almost all Windows faxing software uses Class 1 mode.) Hylafax has a "faxgetty" program that answers the modem. It allows dial-out like mgetty, but it also communicates with the hylafax daemon to report on the status of the modem. It has facilities for calling alternate programs for voice and data calls. I am not sure if it can detect ppp frames. However the weak link is normally with the modems detection of the type of the incoming call (voice, fax or data), which is not very reliable. I am not sure if Class 1 modems can do this at all. On commercial sites, I normally lock modems taking incoming fax calls into "fax only" mode to guarantee satisfactory performance. Faxgetty has a few features to try and work around this limitation. A few other issues to consider: - What about call-back, is there any provision for this in portslave? - Is anybody familiar with isdnutils? How does that handle all the options of incoming calls? - Can isdnutils handle radius authentication, filters, assigned IP's etc? (Maybe it could share the radius plug in?) Regards Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: portslave
Hello Russell On 15 Oct 2001, at 17:58, Russell Coker wrote: > On Mon, 15 Oct 2001 11:18, I. Forbes wrote: > > Perhaps the same or a similar configuration file could tell portslave > > how to handle incoming calls detected by the modem as being > > voice or fax as opposed to data calls. > Sure, I could add that. Write a spec. This is an opertunity I can't pass up. Give me a week or so to have a good look through mgetty, faxgetty etc. > > Is there a documentation for the new options on the patched pppd? > > There is in the latest version which was uploaded to Debian and Sourceforge > last night. Thanks, I will have a look. > It shouldn't be that difficult to write some code that can recognise FAX as > well as PPP, they are very different... The fax and data differentiation is handled by the modem - they have different handshake sequences. If the phone line is noisy and/or the modem firmware is a bit buggy, the modem does not correctly identify the handshake. If the modem gets this wrong, then the "getty" program can't help. This does not mean that we should not put the facility into portslave. Regards Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Best way to duplicate HDs
Hello All I am not sure that I understand what the original poster wishes to achieve, nor have I followed the lengthy discussions that ensued. But, a thread with the above subject line would not be complete without a mention of "mirrordir". Someone wrote: > > Sigh... and I was hoping for a simple solution like cp /mnt/disk1/* > > /mnt/disk2/ Try apt-get install mirrordir mirrordir /mnt/sourcedisk /mnt/targetdisk Everything including soft links, hard links, devices files, fifo's, permissions etc, will be mirrored, with a minimum of changes on the target disk. Mind that you do not mix up the "source" and "target" paths, otherwise you will end up wiping your original drive. If you want to "ghost" a complete linux file system to replace a small drive with a larger one, the recipe is this: - power down and install the target disk on secondary port, reboot. - partition target disk (fdisk, cfdisk). - create file systems (mkfs) and swap partion (mkswap) on the target disk. - mount the target disk on /mnt - create and mount points and mount other partitions on target drive (eg mkdir /mnt/boot, mount /dev/hdc1 /mnt/boot). - change into single user mode (init s) - mirror the drive, "mirrordir --exclude /mnt -exclude /proc / /mnt" (These excludes save a lot of trouble) - mkdir /mnt/proc, mkdir /mnt/mnt (This also save a lot of problems later). - power down and remove original disk - reboot with the target disk mounted as root / using an external recovery disk. - run install-mbr to put a boot record on the target - run lilo to make the target bootable. - reboot. The original poster could probably achieve what he wants by running the "mirrordir" statement from crontab every 24 hours. Have fun Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Raid 1 + lilo
Hello All As a follow-up to the "closest to debian" thread. I am using software raid 1, + IDE drives. On a woody system with the latest lilo and a new bios it seems pretty good. The bios will boot off the 2nd drive if the first one fails. Both disks have an MBR and lilo is on both disks via a mirrored /boot partition. I think this is pretty bullet proof and it handled everything I could simulate but I have not tried shooting out one of the drives! Now I am looking for 2 things: 1) has anybody got a 'deb' of the latest lilo, back-ported onto potato. I am looking for one to use on my "stable" machines? 2) has anybody written a nifty script which can be run by crond to read /proc/mdstat and send off e-mail if something is not healthy. I know this can't be too tricky, but any contributions to save "re-inventing" the wheel would be appreciated. Also on my wish list is a more advanced script which is run on boot- up which: - detects that one drive in the raid1 is not synced - and is presumably a new disk which has just been installed to replace a dead one. - reads /etc/raidtab, the partition table on both disks and probably a dedicated configuration file. - partitions the 'new' disk if required. - hot syncs the new partition(s) into the raid device(s). - runs 'mkswap' and 'swapon' to set up swap partitions on the new drive. - runs install-mbr and lilo to make the new disk bootable. This should all be done vary carefully with lots of checks so as not to wipe valid data! Maybe the script should be run manually with warning prompts. Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Raid 1 + lilo
Hello Russell On 30 Jan 2002, at 9:08, Russell Coker wrote: > On Tue, 29 Jan 2002 22:43, I. Forbes wrote: > > 1) has anybody got a 'deb' of the latest lilo, back-ported onto > > potato. I am looking for one to use on my "stable" machines? > > http://www.coker.com.au/lilo/ Thanks very much. It almost looks like you put this together in response to my request. > > 2) has anybody written a nifty script which can be run by crond to > > read /proc/mdstat and send off e-mail if something is not > > healthy. I know this can't be too tricky, but any contributions > > to save "re-inventing" the wheel would be appreciated. > > I think that there's a package in woody for that, I can't seem to find it at > the moment though. I see there is mdctl, as well as mdutils, raidtools2, and raidtools available in woody. All seem to have overlapping functionality and only one of them can be installed at a time. mdctl seems very new and appears to have a "monitoring" function. Up to now I have been using raidtools2, this is available in potato and woody. I am cautious to use mdctl as it is very new, documentation is a little sparse and it is not available on potato but in the long run I guess this will be the preferred utility. Has anybody had any experience with these tools? Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Raid 1 + lilo
Hello Russell On 31 Jan 2002, at 2:08, Russell Coker wrote: > On Wed, 30 Jan 2002 22:55, I. Forbes wrote: > > > > 1) has anybody got a 'deb' of the latest lilo, back-ported onto > > > > potato. I am looking for one to use on my "stable" machines? > > > > > > http://www.coker.com.au/lilo/ > > > > Thanks very much. It almost looks like you put this together in > > response to my request. > > Yes. There is a small bug with this package. When I try and install it I get a problem with conflicting manpage versions. The lilo-doc package installed without problems. nimbus2:~/debs# dpkg -i lilo_22.1-6potato1_i386.deb dpkg: regarding lilo_22.1-6potato1_i386.deb containing lilo: lilo conflicts with manpages (<< 1.29-3) manpages (version 1.29-2) is installed. dpkg: error processing lilo_22.1-6potato1_i386.deb (--install): conflicting packages - not installing lilo Errors were encountered while processing: lilo_22.1-6potato1_i386.deb The manpages package installed is the latest "stable" version. Regards Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Raid 1 + lilo
Hello Russell Thanks Russell, I used "--force-conflicts" and it installed. I should have thought of that myself. Now I must find a time to reboot the machine to test it. In the meantime I will leave the magic boot stiffy in the 'a' drive - just in case we get a 3AM power failure ! (All the machines that can be conveniently rebooted are running woody ) Regards Ian On 31 Jan 2002, at 16:59, Russell Coker wrote: > On Thu, 31 Jan 2002 04:06, I. Forbes wrote: > > > > > > 1) has anybody got a 'deb' of the latest lilo, back-ported onto > > > > > > potato. I am looking for one to use on my "stable" machines? > > > > > > > > > > http://www.coker.com.au/lilo/ > > > > > > > > Thanks very much. It almost looks like you put this together in > > > > response to my request. > > > > > > Yes. > > > > There is a small bug with this package. When I try and install it I get > > a problem with conflicting manpage versions. The lilo-doc package > > installed without problems. > > > > nimbus2:~/debs# dpkg -i lilo_22.1-6potato1_i386.deb > > dpkg: regarding lilo_22.1-6potato1_i386.deb containing lilo: > > lilo conflicts with manpages (<< 1.29-3) > > manpages (version 1.29-2) is installed. > > dpkg: error processing lilo_22.1-6potato1_i386.deb (--install): > > conflicting packages - not installing lilo > > Errors were encountered while processing: > > lilo_22.1-6potato1_i386.deb > > > > The manpages package installed is the latest "stable" version. > > Sorry I forgot about that. Use --force-conflicts and --force-overwrite, it's > probably not worth releasing a new package just for this. > > Or you could just install the manpages package from woody. > > -- > http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark > http://www.coker.com.au/postal/ Postal SMTP/POP benchmark > http://www.coker.com.au/projects.html Projects I am working on > http://www.coker.com.au/~russell/ My home page > - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mass installation procedure for Debian?
Hello Oliver On 2 Feb 2002, at 12:33, Oliver Andrich wrote: > I have to deal in the near future with a lot of Debian machines, that I will > setup and configure for two customers. I like to develop or use some mechanism > for mass installation of these machines, and for easily setting up a spare > part machine if one crashes. We use this installation procedure. It is not really "mass" but can generate a debian stable machine tailored for our customer's requirements quite quickly. These are not identical machines - each one goes to a new customer with specific requirements. Also each machine can, and often does, have different hardware: - Boot off boot floppies - Load base.tgz over the LAN from our mirror server. - Follow prompts on debian setup to setup network, DNS, apt sources, root password, user account and password etc. - Break out of the installation process when dselect is started. - Download a "tar.gz" file which has various customized things in it. This is unpacked into /etc, /usr/local and /var/www. - Run dpkg --set-selections < /etc/deblist (deblist is one of the files in our tarball). - Run apt-get and let it install the required packages. Note the contents of our /etc/ files are typically listed as configuration files. When dpkg asks if you want to overwrite them, we say NO. - We do some global edits on /etc. For example if our tarball has customerdomain.com we search and replace it with the customer's real domain. We use mc for this and manually check each replacement just to make sure. - If there are packages required which are not on our standard list, they get installed last. This often includes a customized kernel. - Each machine is fully tested. DNS, dhcp, samba, isp dial-out, ras dial-in, mail in, mail out, proxy server etc. - Details of the setup are documented and the machine is ready for delivery. The slowest part of the job is waiting for dpkg to run all of the install scripts. With decent hardware it is not really too bad. Testing requires some application of grey matter. When we are under pressure, we can get a production ready e- mail server or webserver out in under an hour. I have done quite a lot of development with the contents of the tar.gz. We also use a detailed check list. I have tried setting up a custom "base.tgz" but that was to fiddly and to prone to bugs. I also looked at customizing the install disks, but backed off from that too. Maybe when I get a bit more time... We also have a script for backing up /etc and a few other key files and directories into a tar.gz file and rsync-ing it onto our backup server. We run the script whenever we work on a customers machine. If the machine has a disk crash we can rebuild it from scratch, using the same procedure and the backup tar.gz file instead of the generic one. Regards Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: dist-upgrade on remote server
Hello Andreas It should be possible. I upgraded a number machines from slink to potato - remotely but I have not started on remote potato to woody upgrades yet. If helps if you have practised on a local machine. I suggest you take a few precautions: - use apt-get -d to download everything you need before you start. - open 3 or more ssh sessions. Setup a ping in the spare sessions. Then if you loose your main one, the others should still be open to give you a "back door". This can save you if something crashes during the setup of the new ssh. - use "script" or something similar to keep a record of the screen dump. Then if you miss a warning or error you can go back and read it. - be vary careful before you do anything that changes ipchains rules. - be vary careful before you re-boot the machine. Let me know how it goes. Good Luck. Ian On 4 Feb 2002, at 15:16, Andreas Rabus wrote: > > Hi, > > there was an thread about potaota/woody on the weekend, but i didn't get an > important answer: > I'd like to "dist-upgrade" our potato InternetServer in production to woodo > and i have only a ssh and telnet-ssl connection to that box. > > So, what's the best way to do it? > > If i lost net connection, i'm stuck. (Grab a monitor, a keyboard etc. take > it to the cellar of the box at the other end of the city, reboot, wait, > repait and menawhile i got a few hoers downtime...) > That's s.th. i'm afaraid of so i should try to avoid it... > > But how can a connecten get lost whiel dist-upgrade and what can i do to > avoid this? > > I have an other box wich ist nearly similar t that interbox in the LAN, so i > can try it there first, but they dont share the network connectin and > config. An i can't switch boxes, the are to different. > > Has anybody done s.th. like that before? With succes? Failed? > > ar > > Andreas Rabus > entity38 AG > > Theresienstraße 29 > 80333 München > > Tel +49 (89) 286772-27 > Fax +49 (89) 286772-21 > ISDN +49 (89) 286772-30 > ICQ #132675697 > > [EMAIL PROTECTED] > www.entity38.de > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: AW: dist-upgrade on remote server
Hello Andreas You should be able to upgrade potato to woody with a 2.2 series kernel. You can compile/upgrade your kernel after the debian upgrade. I would prefer to compile and test the kernel on a local machine and create a "kernel-image...deb" file. Then copy this onto the new server and install it with dpkg. But then you need to have the same hardware on your local machine to test it with. Regards Ian On 5 Feb 2002, at 14:35, Andreas Rabus wrote: > > Is it possible to compile a new kernel befor the reboot? > Whats about > Our remote box has an RAID Controler from GDT whos driver surely is not in > the default kernel... > > > -Ursprüngliche Nachricht- > Von: Donovan Baarda [mailto:[EMAIL PROTECTED]] > Gesendet: Dienstag, 5. Februar 2002 14:08 > An: I. Forbes > Cc: Andreas Rabus; [EMAIL PROTECTED] > Betreff: Re: dist-upgrade on remote server > > > On Tue, Feb 05, 2002 at 11:52:49AM +0200, I. Forbes wrote: > > Hello Andreas > > > > It should be possible. I upgraded a number machines from slink to > > potato - remotely but I have not started on remote potato to woody > > upgrades yet. If helps if you have practised on a local machine. > > > > I suggest you take a few precautions: > [...] > > - be vary careful before you re-boot the machine. > > I just had to travel to a server that failed to come up from a reboot after > remote upgrade to woody. The problem was kernel-2.4.17's initrd stuff didn't > automaticly load the AHA-2940 module... In the 2.2.x series kernel this must > have been compiled in, but for the new 2.4.x series it needed an entry in > /etc/modules. I ended up manualy running modconf to add it in, then > dpkg-reconfigure'd the kernel to make sure the initrd had it in. Another > option that _might_ have worked is installing discover... > > Just something else to be wary of :-( > > > -- > -- > ABO: finger [EMAIL PROTECTED] for more info, including pgp key > -- > - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Diverting smtp traffic
Hello All I have an old e-mail server that is still accepting e-mail for some domains. The MX records for these domains are controlled by other parties and getting them changed would be a bit of a mission. At the moment this server forwards all e-mail to my new e-mail server. However in the process I loose some control. Particularly the anti-spam, anti-virus configurations etc are not on the old server. What I would like to do is forward all TCP traffic on port 25 on the old server directly to the new one. I have tried "ipmasqadm -- portfw" but there is no masquerading involved and it does not work. I could also user "redir" or "xinetd" but these will hide the originating server IP address from the receiving server. That would mess up RBL controls and may even open up an open relay! Has anybody done this before? The machine is running potato with a 2.2.19 kernel. Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Diverting smtp traffic
Hello Jeremy On 14 Feb 2002, at 9:14, Jeremy C. Reed wrote: > > old server directly to the new one. I have tried "ipmasqadm -- > > portfw" but there is no masquerading involved and it does not work. > > Does not work? (Show us.) This machine has two network cards, one with masquerading onto a private LAN. However the second mail server is on the public side. There is already forwarding of certain ports to machines inside the LAN, which works perfectly. So the kernel must have all the correct options compiled into it. However > Try something like: > > ipmasqadm portfw -a -P tcp -L 192.168.0.1 25 -R 192.168.0.2 25 This is exactly what I am running, but it does not work. (It would work if the redirected IP was already being masqueraded.) >From /usr/share/doc/netbase/ipmasqadm/README.portfw.gz Port forwarding uses the existing masquerading scheme to do all the rewriting of packets. The masquerading table (what you see when you type netstat -M or ipfwadm -M -l) is setup as if the connection started internally. Which may give a clue why it does not work on IP's for which there is no masquerading configured. > Your remote interface needs to listen on the original IP too. Yes, I have checked that. It seems I will have to upgrade to kernel 2.4. I thought there might be an inetd replacement that could do this (with correction of the source address IP). As this is an old stable machine, and I don't want to fiddle too much, I think I will try another option - updating the mail server configuration to match that on our main server. Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Upgrade a mail server
Hello Craig On 19 Feb 2002, at 10:38, Craig Sanders wrote: > i'd love to convert it over to Maildir/ but haven't yet found any way > that doesn't involve many hours of downtime while converting the > mailboxes from mbox format to Maildir. I did this a while back. It is possible with very little apparent downtime. (We are using Exim and Courier): - create Maildirs for all users. (This is important if both your POP3/IMAP software and MDA are not configured to create missing Maildirs "on the fly"). - change your MDA to deliver into the new maildirs (At this stage new mail is not visible to users when it arrives - but they can still see their old mail. The downtime for this phase should be short) - change your POP3/IMAP programs to pick up mail from the maildirs. (At this stage old mail is not visible to users, but new mail is. This should not be too much of a problem - if users have left MB worth of mail in their boxes, they can't want it too badly, it is when new mail is not available that people complain.) - run your script which reads the mbox files, and delivers to maildirs. My script renamed the mailbox files just after they had been converted, so I could restart the script without incurring duplicate deliveries if (when) the script crashed. - By the time the script finishes, all mail is visible again. - Keep the old mbox files around for a few days just in case you discover a problem ... No corruption, no duplication, no mail lost, no file locking, no error messages on client desktops, not too much loss of service and very few support calls. Have fun! Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Problem with RAID1 on kernel 2.4
Hi All I have just spent many hours trying to setup raid1 on a machine with an hpt366/htp370 ide chipset. The machine has 3 ide hard drives as raid 1 + 1 hot spare, and a CD Rom, each device has its own IDE interface. The chipset has 4 ide ports and is supported on kernel 2.4. The chipset has raid "features" but as I understand it these are implemented via a software disk driver, typically on Windows. There are patches for kernel 2.2 and some weird drivers from the manufactures web site which I think do the same under Linux. However kernel 2.4 has native support for the chipset and the other development seems to have stopped. With 2.4 running I was presented with /dev/hda, dev/hdc, /dev/hde, /dev/hdg for the drives. I installed linux raid1 for raid support. I installed a standard debian 2.4.17 kernel and just enough packages out of woody to get it going. The rest is potato. After a long night I think have got it all going. However there are some areas that I am still not sure of: 1) The initrd is massive about 3mB, I hope that means I will always have all the modules I will ever need at boot time, and I assume the RAM is freed up by the time the system is running. I increased the size of my boot partition to 15 mB, but otherwise this is not really a problem. Notwithstanding the above, I put a long list of modules in both /etc/modules and /etc/mkinitrd/modules. (ide stuff, md, raid1, ext2 ext3 etc), I am not sure how much of this was necessary. 2) Then I had endless problems with raid1. It seems that the "failed-disk" directive in /etc/raidtab does not work. I think it has something to do with devfs - which is compiled into the standard "woody" 2.4 kernel. proc/mdstat shows the drives with their devfs names not the old /dev/hd.. names. While all the other directives seemed to work, using standard /dev/hd.. names and I could build the raid, if I did a raidstop, followed by raidstart, it would not start again. Rather it gave me an error relating to the partition listed as "failed-disk". The only way to get it running again was with a mkraid --really-force option. I tried installing debian's devfsd package but did not solve the problem. Maybe there is some clever customization required to make it work. Putting the full devfs names into /etc/raidtab did not work. Maybe I did not have everything setup correctly or I got the names wrong. I could not find any devfs devices in the /dev directory. After lots of manipulation I managed to build a working system from a single disk to raid1 on all partitions, without relying on failed-disk, and it all seems to be working now. I am not sure how much is related to the chipset, or whether this is a known issue with kernel 2.4. In hindsight, I should have compiled a new kernel without initrd or devfs and made all the raid and ide modules built in. I actually tried this but after two or three compilations without getting a kernel with the right configuration, I thought doing it the other way might be faster. Has anybody else been down this road yet? Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Problem with RAID1 on kernel 2.4
Hello Russell Thanks for your comments. On 26 Feb 2002, at 11:32, Russell Coker wrote: > > 2) Then I had endless problems with raid1. It seems that the > > "failed-disk" directive in /etc/raidtab does not work. I think > > it has something to do with devfs - which is compiled into the > > standard "woody" 2.4 kernel. > > No. failed-disk has always worked fine for me with devfs. I have not been able to reproduce the problem again. However I think I had the index values in the raidtab file wrong. I had raiddev /dev/md0 raid-level1 nr-raid-disks 2 nr-spare-disks0 chunk-size4 persistent-superblock 1 device/dev/hda5 raid-disk 0 device/dev/hdc5 failed-disk 1 device/dev/hde5 spare-disk 3 when it should have been raiddev /dev/md0 raid-level1 nr-raid-disks 2 nr-spare-disks0 chunk-size4 persistent-superblock 1 device/dev/hda5 raid-disk 0 device/dev/hdc5 failed-disk 1 device/dev/hde5 spare-disk 0 NB note the last line of each block. The man page shows and example but it is not clear on how the index numbers should be set. I have not had a chance to rebuild the raid to see if this was in fact my problem. The server is running and serving web pages ... And yes, I am using raidtools2! Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Problem with RAID1 on kernel 2.4
Hello Russell Yes it was "nr-spare-disks 1" I just cut and copied setup from another machine and edited to illustrate my message. I missed the spare disks. :-( At least raidtools2 shouts very quickly when you do that (I know!). Thanks Ian On 27 Feb 2002, at 15:14, Russell Coker wrote: > On Wed, 27 Feb 2002 14:53, you wrote: > > when it should have been > > > > raiddev /dev/md0 > > raid-level1 > > nr-raid-disks 2 > > nr-spare-disks0 > > Surely that should be "nr-spare-disks 1"? > > > chunk-size4 > > persistent-superblock 1 > > device/dev/hda5 > > raid-disk 0 > > device/dev/hdc5 > > failed-disk 1 > > device/dev/hde5 > > spare-disk 0 > > > > NB note the last line of each block. > > > > The man page shows and example but it is not clear on how the > > index numbers should be set. > > The man page for mdctl is worse... :( > > -- > If you send email to me or to a mailing list that I use which has >4 lines > of legalistic junk at the end then you are specifically authorizing me to do > whatever I wish with the message and all other messages from your domain, by > posting the message you agree that your long legalistic sig is void. > - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Spammers hammering our mail servers
Hello Andrew On 4 Mar 2002, at 14:06, Andrew Tait wrote: > Every so often we have spammers hammering our mail servers (running Exim) > attempting to relay messages. They fail of course, however they sit there, > some times for several weeks, attempting e-mail address after e-mail > address. Are these spammers really trying to relay or are they trolling for addresses to spam by trying every name in a dictionary? I get logs like these: 2002-03-05 06:30:53 verify failed for SMTP recipient [EMAIL PROTECTED] from <[EMAIL PROTECTED] > H=lsanca1-ar14-113-104.lsanca1.dsl.gtei.net (mail.nowhere.com) [4.42.113.104] 2002-03-05 06:30:53 verify failed for SMTP recipient [EMAIL PROTECTED] from <[EMAIL PROTECTED]> H=ls anca1-ar14-113-104.lsanca1.dsl.gtei.net (mail.nowhere.com) [4.42.113.104] 2002-03-05 06:30:54 verify failed for SMTP recipient [EMAIL PROTECTED] from <[EMAIL PROTECTED]> H=lsanca1-ar14-113-104.lsanca1.dsl.gtei.net (mail.nowhere.com) [4.42.113.104] 2002-03-05 06:30:54 verify failed for SMTP recipient [EMAIL PROTECTED] from <[EMAIL PROTECTED]> H =lsanca1-ar14-113-104.lsanca1.dsl.gtei.net (mail.nowhere.com) [4.42.113.104] 2002-03-05 06:30:55 verify failed for SMTP recipient [EMAIL PROTECTED] from <[EMAIL PROTECTED]> H =lsanca1-ar14-113-104.lsanca1.dsl.gtei.net (mail.nowhere.com) [4.42.113.104] > The two options I can see so far are either a program monitoring the > rejectlog file to detect abuse, or an exim filter. I don't have a solution for the above. Maybe the solution is a patch to exim that causes an increasing delay after each verification failure. This would have to be coupled to a configuration which limits the number of concurrent connections exim will accept from an IP address. (Available via the smtp_accept_max_per_host directive). Have you had a look at the exim documentation, web site and mailing list etc? Regards Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Admin for E-MAIL users only
Hello rj On 4 Jul 2002 at 18:55, rj wrote: > What is the best way to delegate some root privileges for a user > which could only create e-mail accounts and make newaliases? I have written a bunch of scripts in Python, that use the "super" utility to give effective root access to certain users for pre- defined tasks. It uses the "python-newt" user interface to give a full screen text mode interface like the debconf's "dialog" one. The real work is done by adduser, userdel etc. It also has a module for adding and removing entries from the /etc/aliases file. As with most sys-admin scripts, it is a bit beta, but if somebody is interested I could make it available. Regards Ian PS: I have had in the back of my mind a web server which would authenticate the user, then spawn a child process under that users ID. All further connects belonging to the authenticated session should be piped through to the child for processing. The child could then run a bunch of webmin type scripts to do things that could otherwise be done from the command line with user permissions. The child process should last as long as the session. When the sessions is closed or times out the server should kill the child and clean up. This would prevent a new interpreter from getting started for every click - as is the case with a conventional cgi script and also prevent the parent server from getting crashed by poorly written client scripts. Has anybody seen something like this. Maybe something that supports Python scripts? (I could not find one, so I used the newt interface instead ...) - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
DNS zone file audit tool
Hello All I am looking for a means to audit our DNS zone files. Particularly I need something that checks that their are still upstream NS records pointing to our server for each domain that we host. Also I would like to check that our NS records point to valid name servers (particularly with secondary nameservers) and that our reverse DNS PTR records point to domains with valid A records. I am looking for a Debian friendly utility to help with this. I have had a look at nslint but it does not seem to do what we need it to do. Any other suggestions? Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Debian Security Survey
Hi Joey With regards to your "Debian Security Survey" (http://lists.debian.org/debian-devel-announce/2002/debian-devel- announce-200211/msg1.html). Thank you for giving us the opportunity to listen to our feedback on the issue of security updates for Potato. We are a small ISP, but we have specialized in setting up and maintaining e-mail and web-servers for our customers. We currently have over 70 servers under maintenance running Debian Linux. Of these 10 are running Woody, the rest are still on Potato. Virtually all of these servers are on remote customer sites. Most of the Potato servers are on analogue or ISDN dial-up connections. To upgrade Potato to Woody requires a download of about 100mB - which is obviously a slow process. We have quite a lot of carefully configured software on these servers. Thus we have been moving to Woody quite slowly and monitoring the systems for quirks in the upgrade process. When we are happy that we are making the "best use" of Woody we will start upgrading these servers "on mass". I expect this to be sometime in January next year. Even then it will take weeks to get them all upgraded. There may be some that we would prefer not to upgrade at all due the the nature of the hardware, limited usage etc. Fortunately all of the dial-up boxes are on dynamic IP's which makes them far less vulnerable to scanning and intrusion than permanently connected hosts. In addition we have one system which is running WAN router hardware as well as a multipoint serial card for remote dial-up access. This has a customized kernel (ver 2.2.19), customized advanced routing (using "ip route"), snmp, and a lot of scripts for monitoring and logging. Of course it is live 24/7 in a production environment. Upgrading this box is going to be a project all on its own. We have already completed the upgrade of our main in-house webserver and mail servers. These were fairly big projects as they have customized setups, scripting etc. They also host many domains and many users so we had to devise strategies to complete the upgrades without causing too much disruption to the customers. We have had development systems running Woody for a year or more. I hope the above gives you an idea what the challenges are involved in upgrading to Woody. I think many other people are faced with similar tasks. It is important to understand that the slow pace of the upgrades is often not due to a late start or a lack of interest, but rather due to a large amount of caution when working with production systems. I would like to see: - Full security support for Potato for at least another 3 months. - Limited security support for a longer period. For example it would be very nice if Debian Security could make a commitment to release updates for Potato, for any relevant vulnerability listed in a CERT (http://www.cert.org) advisory for a period of say 12 months. The idea is to at least fix remotely exploitable vulnerabilities that do not require the attacker to have knowledge of a local account password. I mentioned CERT as they seem to be very conservative. They do not issue advisories before the exploit has been verified and is deemed to be a significant risk. Thus many of the DSA's cover vulnerabilities which do not make it into the CERT lists. Yet a very large percentage of compromised servers are compromised via vulnerabilities that have already been published in CERT advisories at the time of the intrusion. As no new software has been added to Potato for years the actual number of security releases required to implement the above should not be all that large. Potato was the preferred stable version of Debian for a number of years and there must be a very large number of machines installed with this version of the distribution. Many of the people who installed Potato, chose Debian because they were installing it on publicly accessible production servers. Debian is probably still the best distribution for a stable secure Linux system. It would be unfortunate to disappoint those people now. Thanks Ian Forbes - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA-196-1] New BIND packages fix several vulnerabilities
Hello All The latest bind fiasco seems a bit of a mess: I only hope that these packages will plug the holes: > These problems have been fixed in version 8.3.3-2.0woody1 for the current > stable distribution (woody), in 8.2.3-0.potato.3 for the previous stable > distribution (potato) and in version 8.3.3-3 for the unstable distribution > (sid). The fixed packages for unstable will enter the archive today. But I predict that there will be several more DSA's and upgrades before the problem dies down. With regards to this suggestion: > We recommend that you upgrade your bind package immediately, update to > bind9, or switch to another DNS server implementation. We dropped sendmail many years ago and I think it may be time to drop bind. What experiences do others have with alternate DNS servers? Unfortunately DJB's software is not an option for us. We tried working with his licence with qmail for a couple of years but we ended up chasing our tales with custom installations, patches and a general lack of progress and maintainablility. So we dropped qmail for exim. It will have to be something with a DFSG compliant licence that replaces our bind. (This is a pity, because DJB has written some excellent software.) Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: SCSI or IDE
Hello All We have about a dozen production machines running software RAID1 with IDE drives. We have experience going back about year now and we have had a number of raid drive failures in that time. Good points: - If a drive fails, the machine carries on running and you can sort it out the problem at a convenient time. You do not loose any data and not much downtime. Bad points: - After a drive fails it is not guaranteed 100% that the box will be bootable. If the bios supports booting off both IDE's it is a good start but some combination of drive/contoller failures can leave the machine unbootable. A cold reboot as opposed to a warm reboot can make a difference. It is a good idea to have a boot stiffy available, this should always work. At worst you may have to disable a drive in the bios or open the case and swop the IDE cables to get it to boot. - If you have a "glitch" on a drive the raid will mark the partition as defective possibly when there is no permanent damage. You have to reboot the server before you can attempt to bring this partition back on line. Once rebooted you can attempt to re-sync the drives. If you loose sync again in the next few hours, start planning on replacing the drive. But I have had a partition drop out, re-booted the machine, re-synced and it worked faultlessly for months. So it is definitely worth considering this before you replace the drive. - You cannot "hot swap" the drives. Bottom line is I would much rather have a machine with software raid 1 than one drive alone. Most of the new machines we build have this configuration. However if guaranteed 24/7 operation if your requirement, as opposed to security of data and minimizing downtime then you will have to buy something exotic that supports hot-swap and has a good reputation. I have also played with machines with cheap bios based raid which proved frustrating. I would much rather use Linux software raid than any of these. Be very careful to set-up and check your cron scripts. If a drive fails, you need the machine to send an e-mail to an address where you know it is going to be read and acted upon! You do not want that e- mail buried in 1000 other system warnings that get deleted without being read. Have fun. Ian On 28 Nov 2002 at 14:15, Jones, Steven wrote: > If you lose the primary boot disk on software raid its not bootable in my > experience. > > I wouldnt use software raid for any prod box for this reason. > > I happen to have 2 x 20g sitting, and since I only need 2 gig ish > max.. > > Steven > > -Original Message- > From: Russell Coker [mailto:[EMAIL PROTECTED]] > Sent: Thursday, 28 November 2002 1:35 > To: Jones, Steven; 'Thomas Kirk' > Cc: [EMAIL PROTECTED] > Subject: Re: SCSI or IDE > > > On Wed, 27 Nov 2002 23:30, Jones, Steven wrote: > > > http://www.promise.com/product/product_detail_eng.asp?productId=93&familyId > >= 7 > > > > i was actually looking at one of these. > > > > For my simpler needs, data protection is important but there isnt lots of > > it so 2 x 20 gig disks mirrored is heaps. I would like to keep the uptime > > up, so was thinking of this solution, anybody tried one? Its for my web > > server with all of a 128k connection so sucky performance isnt an issue as > > its bugger all hits. > > If you only need RAID-1 then software RAID is probably best. It's cheapest > and provides much better performance than most hardware RAID's. Also if you > > only need 20G of storage then you still may want to consider 120G drives, > they are much faster than 20G drives. > > > However for another job Im thinking of elsewhere (a 2 node cluster) though > > it would be a disaster. 3meg a sec just wont cut it, i can get 16 meg off > a > > second hand scsi setup for the same dosh. > > You can get 40 meg from a software RAID-1 on IDE drives more easily and > cheaply. > > -- > http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages > http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark > http://www.coker.com.au/postal/Postal SMTP/POP benchmark > http://www.coker.com.au/~russell/ My home page > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SCSI or IDE
Hello Russell On 28 Nov 2002 at 13:52, Russell Coker wrote: > On Thu, 28 Nov 2002 13:15, I. Forbes wrote: > > - If you have a "glitch" on a drive the raid will mark the partition > > as defective possibly when there is no permanent damage. You have to > > reboot the server before you can attempt to bring this partition back > > on line. Once rebooted you can attempt to re-sync the drives. > > That is strange. On many occasions I have had a transient error or a failing > drive drop out of a RAID but then work fine when I ran raidhotadd... In my experience, if the drive dropped out due to an error, you have to reboot the machine before raidhotadd will attempt to remount it. (This may vary between kernel versions.) > > Be very careful to set-up and check your cron scripts. If a drive > > fails, you need the machine to send an e-mail to an address where you > > know it is going to be read and acted upon! You do not want that e- > > mail buried in 1000 other system warnings that get deleted without > > being read. > > The raidtools2 package comes with a cron script that does well in this regard. The e-mail generated from raidtools2 is imbedded in the "cron.daily" report. If you have a bunch of programs that get run by cron.daily and generate a lot of output, a critical raid disk warning can get lost in the noise. I have modified my cron scripts to send a second e-mail directly to an address that does not normally get any system messages. This one can be cc'd to the client if need be. They like that kind of reassurance. Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
swapon not run at boot with raid drives
Hello All I have picked up a problem with my servers running potato + raid 1 mirror drives. The problem is as follows: - raid gets out of sync for some reason, - server gets rebooted, - raid re-sync process starts automatically on boot, - start-up scripts look for and detect re-sync process and refrain from running swapon. (see /etc/init.d/checkroot.sh and /etc/init.d/mountall.sh) - raid re-sync completes but swap drives are not mounted and stay unmounted. >From what I can see this will happen on a Woody system too. Is this a bug, or is there something I am missing? What are the pitfalls of mounting swap partitions while the re-sync is running? (I normally size the RAM in a server such that the swap space is never used. But there is always some script which uses "sort" or something in a manner which overflows into swop space. This makes the problem worse as it only normally comes to light when the weekly or monthly cron scripts are running, and nobody is around to pick up the pieces.) Any ideas? Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: swapon not run at boot with raid drives
Hello Russell On 21 Jan 2003 at 11:30, Russell Coker wrote: > There was a bug in 2.2.x kernels which could cause a kernel panic if you > swaped on a RAID device that was re-syncing. AFAIK 2.4.x had it fixed long > ago. So if you are running a 2.4.x kernel you can just edit the shell script > in question to remove that check. > Why not put "swapon -a" in a cron job? I have done this, protected by an if statement to check if the drives are busy syncing, it should work, but it is a bit clumsy. It would be neater to have something which waited until the syncing was finished and then mounted the swop partitions. If my swop partitions are not on raid devices, am I vulnerable to the above bug? (Not that I really want to test this on production machines). Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ISP Billing Software / RODOPI
Hello Kirk On 25 Feb 2003 at 14:08, Kirk Ismay wrote: > Finally, one thing I've been considering is to use SQL-Ledger > (http://www.sql-ledger.org/) as a core accounting system and re-write my > recurring billing and provisioning programms as add on modules. I can't > promise that I'd be able to do this, but if there are interested > co-developers / potential users email me off list. I'll use those as an > argument to not abandon our in house code and open-source the project. > Thank you all for your time and input. We are also looking at this route. Currently we run a Windows based system for generating recuring invoices and tracking customer payments. We use SQL-Leger to keep the "books". Monthly totals from the Windows system are carried across into SQL-Ledger manually. The SQL-Ledger replaced a commercial Windows accounting package. Since we changed, we have never looked back. In terms of usability and flexibility, SQL-Ledger is tops! Now we are rewriting the Windows stuff with a postgres back end and python cgi interface. This will make calls to the SQL-Ledger API to generate the recurring invoices. The invoices, statements and payments will be handled by SQL-Ledger. (Currently our Windows app does that). My guess is that everybody has their own specific requirements. Our focus is on the business market. We do not have a direct interface between our accounting system and our radius servers. We don't use traffic statistics to generate invoices and we do not have an "on- line" interface for customers. We also do not take credit card payments. So we wont be looking at any of these "features" soon. I suspect that we will be stretching SQL-Ledger's abilities, but I have every confidence that we can deal with any shortcommings that bother us. Development on SQL-Ledger is very active and most of the limitations are already being addressed. If there are others working on similar projects, I would be happy to co-operate. Regards Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: 400 000 mails in 12 Hours
Hello debian-isp On 27 Feb 2003 at 12:10, debian-isp wrote: > I have the task of setting up a mailserver capabel of sending 400 000 > mail in a max time of 12 hours. All mails have an attachment of 1 mb. > The system should be a mailer for a newsletter system. As I made quite > a couple of things with postfix, my concern is the amount and > considerations which have to be made when handling such an amount. I have a problem with this. I cannot imagine any scenario which would justify sending out 400 000 e-mails with a 1Mb attachment. The chaos that this will cause to your recipients and the ISP's that host their e-mail will be very significant. You are likely to find yourself subject to many complaints, and a listing on "Spamcop" is a distinct possibility. So before you look at the technicalities of sending the e-mail server, try and answer the following first: - Have all 400 000 people indicated their willingness to receive this e-mail? I can't believe they are employees of an organization, and even if they are clients of a bank or insurance company, it does not mean they would all be happy to get your e-mail. - Does the attachment have to be 1 Mb? Unless it contains essential graphs or maps, it should be possible to make is smaller. 1 Mb of text can hold a very large amount of information. - Would it not be better to distribute the file from a web site or ftp site, and e-mail a link from where it could be downloaded? I manage an e-mail list on behalf of a club. There are about 100 paying members on the list which is used to distribute a news letter about once a month. Some members are keen to see some pictures in the news letter - which obviously adds to it's size. If the file size is held at 500 to 700 kb it usually goes through without problems. If the file size exceeds 1 mB we have had up to 30% bounces, complaints and a variety of other problems. Every issue I have to negotiate with the editor to get the size reduced! (This is the size of the file that gets attached, the e-mail is significantly bigger.) Good Luck Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
ANNOUNCE: "pyscan" Anti-Virus Filter Software
Hello All I have put together an antivirus filter for use with Exim. The filter is written in Python, and it works by examining Mime headers in e-mail messages. It does not make use of a pattern database. You could describe it as an upgrade to the antivirus Exim system filter published on the Exim website. However it has comprehensive Mime parsing capabilities and features for sending virus notification to both senders and recipients. It is similar to the application "mimedefang", but it is not dependent on "procmail" and works for incoming, outgoing and relayed e-mail. I have developed on a Debian "woody" server running Exim 3.35. It has worked well on one of our production servers for over 6 months, handling about 500 mB of mail (over 1 messages) per day. I think there may be others who are brave, and interested enough to want to try it. So I have published it on my web site at the following URL: http://www.zsd.co.za/~ian/software/pyscan/ It is free, GPL licence. If there is any significant interest, I will setup a mailing list for interested users. Regards Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Easier administration (similar to Linuxconf)
Hello All On 29 Mar 00, at 16:20, Smoerk wrote: > > You know the "web-enabled" administration software used by Colbat servers? > > I was wondering if anything for Linux (and hopefully debanized) was > > similar? > > Maybe Webmin (www.webmin.com)? > But why don't you write some scripts, which setup a default > configuration? A config tool is not faster than doing the same in the > config files. It's easier, but not faster. I have also been thinking about this problem for a while. Specifically I would like an interface to allow the following. Users to do things like: - change passwords - change their ".forward" file settings. And a semi privileged non-root administrator to: - add and delete users - change other users passwords (but not root password) - view other users's mail - edit /etc/aliases I have looked at linux.conf and webmin. Linux.conf seems to be an overkill and too experimental (especially on Debian) to let loose on semi-skilled admins. Webmin seemed to climb in and edit files without any regard for standard system tools. I had a look at the coding of an early version and decided to leave it. It may be better by now. My idea was to find or write simple console based, but menu driven tools for doing these tasks. These could be accessed from the linux console, telnet, xterm or from a web page via the java telnet client. It has the major advantage over linux.conf and webmin in that everything that runs on the linux box runs under the users own uid which is much simpler to secure than anything that works off a www interface and runs suid root. Has anybody got any console based, menu driven scripts to start with? - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Policy for use of Group Names
Hello All I am looking at drawing up a policy for some of our local machines and also client machines that we administer. Certain grades of users will be made members of groups with specific privileges. Then I can tweak things so that member of those groups have access to things like read log files, update web pages in /var/www, and upload files to /pub/ftp etc, without root access. However, before I go and re-invent the wheel, I was just wondering if there is a Debian policy (or unofficial policy or understanding) on what the "traditional" unix groups are used for. There are some of them which are obvious like root:x:0: lp:x:7:lp mail:x:8: news:x:9: uucp:x:10: majordom:x:31: postgres:x:32: www-data:x:33: Others seem to be traditional unix names, but I am not sure what privileges these group ID's have on a Debian or other typical unix installation: daemon:x:1: bin:x:2: sys:x:3: However the ones I am most interested in are adm:4: tty:x:5: disk:x:6: cdrom:x:24: floppy:x:25: tape:x:26: backup:x:34: operator:x:37: staff:x:50: games:x:60: users:x:100: nogroup:x:65534: Which files and directories allow access from these groups in a Debian installation? Would it make sense to add certain users to say "cdrom", "adm" or "staff" ? What rights would such a user be expected to gain from this? Any comments would be appreciated. Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: Mass install / Autoinstall (Was: Re: Debian vs Red Hat??? I need info.)
Hello All There is definitately some scope for development in this area. Debian is one of the best distro's to maintain but it is one of the worst to install. These advantages and disadvantages are multiplied when you have many machines to maintain. On 17 May 00, at 21:55, Karl M. Hegbloom wrote: > You can make a copy of the system like this... it will create a > `cpio' archive... substitute `ustar' for `crc' to make a `tar' > compatible archive. RTFM's... you're on your own. > > 8<>8 > #!/bin/bash > find / -print0 | > grep --invert-match --extended-regexp --null-data > --file=/root/make-tarball.exclude-patterns | > cpio --create --format=crc --null --reset-access-time --block-size=10 | > gzip --best > /tmp/system-snapshot_$(date +%Y.%m.%d).cpio.crc.gz > 8<>8 I tried this to create a custom "base2_2.tzg" with reasonable results. First problem is that we need a tar file and not a cpio one. Cpio's "tar" format does not support block devices so the whole /dev/ directory gets broken. Then I tried "ustar". This worked better but still has some limitation on file name length. A few files in /var/state/apt/lists/* were too long - not a major trainsmash. I wasted a few hours trying "tar" instead of cpio. It seems not to be able to backup a directory, without backing up the contents of that directory, this is a problem with things like /var/cache/apt/archives. Maybe a real find/grep/tar guru could get it right but I went back to Karl's script :-) I still have some bugs. After the base install lilo would not run (something broken with vmlinuz softlink). Then when the new system is rebooted it went into a loop asking about shadow passwords etc. I eventually replaced the /etc/inittab. Bug squashing is a slow process ... a full test cycle requires a backup and a new installation. This seems a viable method of setting up a mass install system. After I got things going I used Midnight Commander to do some global searches and replaces in /etc to sort out things like domain names and ppp accounts etc and then I had a system ready to run with exim, squid, dns ,ppp, diald, mgetty, calamaris, dhcp, apache, ftp, ipchains, samba, uucp, fetchmail etc all working! Best of all it is a fully compliant Debian system, so apt-get update| apt-get upgrade also works! Next step may be to modify the dinstall program. Question: Is'nt there a deb package with scripts for creating boot disks? I feel I should not be reinventing the wheel. Another question: Which list should we be discussing this? Karl's original messages was sent to a whole bunch of lists? My modified scripts are as follows (mind the line wrapping): #! /bin/bash find / -print0 | grep --invert-match --extended-regexp --null-data -- file=/root/config/exclude-pattern | cpio --create --format=ustar --null --reset-access-time --block- size=10 | gzip --best > /tmp/base2_2-$(date +%Y.%m.%d).tgz ^/proc/.* ^/tmp/.* /lost+found ^/boot/lost+found ^/var/cache/apache/.* ^/var/cache/apt/.*\.deb ^/var/log/.*\.log ^/var/log/\(amanda\|apache\|gdm\|ksymoops\|mailman\|news\|sendfil e\|wu-ftpd\)/.* ^/var/log/\(syslog\|smb\|nmb\|messages\|mail\|lpr\|debug\|dmesg\).* ^/var/lock/.* ^/var/run/.*\.pid ^/var/run/\(ndc\|utmp\) ^/var/samba/.* ^/var/spool/squid/.*/.*/.* \.bash_history \.gnome-errors .*~ /\.saves-.* /\.#.* /\.netscape/cache/.* ^/etc/modules ^/etc/hostname ^/etc/hosts ^/etc/networks ^/etc/resolv.conf ^/etc/modutils/ ^/etc/apm/event.d/pcmcia ^/etc/init.d/pcmcia ^/etc/pcmcia/ ^/etc/network/interfaces ^/tmp/ Ian Forbes - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Suggestion for Mail Archiving Software
Hello All Has anybody get experience with and/or suggestions for mail archiving software. I want copies of all mail arriving at certain addresses (sales, info, abuse etc) to be fed into an archive. Ideally it should have the following features: - The archive should be accessible by a web or perhaps IMAP interface. - It should be rotated say once a month. - The archive files themselves should be compressed. There are lots of mailing lists which get archived, so there should be a number of programs to choose from. Any suggestions? Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
RE: VPN recomendations
Hello All Tunnelv is a userland package that works via the ethertap device. It is quite neat and totally secure. But it has a bug that conflicts with diald. Diald will also use the ethertap device if the kernel supports it. The bug is that both packages insist on using the first device "tap0" - at the same time. I could not find an easy solution to make one of them use "tap1" - I must still file a bug report. Also the debian (potato) package is a bit lacking in scripts for starting and stopping the daemon. You will need to put together some clever stuff to put in /etc/init.d/tunnelv (which is not in the package) and maybe in /etc/ppp/ip-up and /etc/ppp/ip-down on the other end. I suppose it all depends on what kind of network you are working on. Ian Forbes On 14 Sep 2000, at 10:09, Werner Fleck wrote: > I am using Tunnel Vision (http://www.worldvisions.ca/tunnelv/) for 18 months > now. It is easy to configure and it works very reliable. And there is a > debian package "tunnelv". > > Werner > > > -Original Message- > > From: Kim O [mailto:[EMAIL PROTECTED] > > Sent: Thursday, September 14, 2000 7:42 AM > > To: debian-isp@lists.debian.org > > Subject: VPN recomendations > > > > > > was just wondering what the best way is to do VPN between > > linux servers in > > different places to establish a small private network over public > > infrastructure. packages,software or howtos appreciated. > > > > thanks > > > > Kim > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
RE: VPN recomendations
Hello Werner No it is not that simple. Tunnelv counts its own tunnels and assigns tap devices accordingly, but it insists on starting with "tap0", even when that device is already being used by diald. Diald should also work with multiple instances on the same server. I assume it can also sort out its own "tap" devices. (But I have never tried it). Neither diald nor tunnelv has an option where I can specify a specific "tap" device for a specific instance of the program. Anybody out there who can help, I would be interested to here. Otherwise is it possible to setup a tunnel with pptpd? I think I will try that one next. Regards Ian On 14 Sep 2000, at 13:25, Werner Fleck wrote: > May be it's a problem of diald -- I have a production system with three > simultaneous tunnel vision vpns running on tap0, tap1 and tap2. > > Werner > > > -Original Message- > > From: I. Forbes [mailto:[EMAIL PROTECTED] > > Sent: Thursday, September 14, 2000 12:54 PM > > To: debian-isp@lists.debian.org > > Subject: RE: VPN recomendations > > > > > > Hello All > > > > Tunnelv is a userland package that works via the ethertap device. It > > is quite neat and totally secure. > > > > But it has a bug that conflicts with diald. Diald will also use the > > ethertap device if the kernel supports it. The bug is that both > > packages insist on using the first device "tap0" - at the same time. > > I could not find an easy solution to make one of them use "tap1" - I > > must still file a bug report. > > > > Also the debian (potato) package is a bit lacking in scripts for > > starting and stopping the daemon. You will need to put together > > some clever stuff to put in /etc/init.d/tunnelv (which is not in the > > package) and maybe in /etc/ppp/ip-up and /etc/ppp/ip-down on the > > other end. I suppose it all depends on what kind of network you > > are working on. > > > > Ian Forbes > > > > > > On 14 Sep 2000, at 10:09, Werner Fleck wrote: > > > > > I am using Tunnel Vision > > (http://www.worldvisions.ca/tunnelv/) for 18 months > > > now. It is easy to configure and it works very reliable. > > And there is a > > > debian package "tunnelv". > > > > > > Werner > > > > > > > -Original Message- > > > > From: Kim O [mailto:[EMAIL PROTECTED] > > > > Sent: Thursday, September 14, 2000 7:42 AM > > > > To: debian-isp@lists.debian.org > > > > Subject: VPN recomendations > > > > > > > > > > > > was just wondering what the best way is to do VPN between > > > > linux servers in > > > > different places to establish a small private network over public > > > > infrastructure. packages,software or howtos appreciated. > > > > > > > > thanks > > > > > > > > Kim > > > > > > > > > > > > -- > > > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > > > with a subject of "unsubscribe". Trouble? Contact > > > > [EMAIL PROTECTED] > > > > > > > > > > > > > -- > > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > > > > > > > > > - > > Ian Forbes ZSD > > http://www.zsd.co.za > > Office: +27 +21 683-1388 Fax: +27 +21 64-1106 > > Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa > > - > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Compiling bind_8.2.3-0 for slink
Hello All I am trying to compile the latest "bind" on a slink system. (It is a production system that I don't wish to upgrade right now, and I am also not happy running the old vulnerable version ...) The compilation bombs out with the following message: make[3]: Entering directory `/home/ian/dev/bind/bind- 8.2.3/src/bin/addr' gcc -D_GNU_SOURCE -I../../port/linux/include -I../../include -O -g -c addr.c gcc -D_GNU_SOURCE -O -g -o addr addr.o \ ../../lib/libbind.a -lfl ld: cannot open -lfl: No such file or directory make[3]: *** [addr] Error 1 make[3]: Leaving directory `/home/ian/dev/bind/bind- 8.2.3/src/bin/addr' make[2]: *** [addr] Error 1 make[2]: Leaving directory `/home/ian/dev/bind/bind-8.2.3/src/bin' make[1]: *** [all] Error 1 make[1]: Leaving directory `/home/ian/dev/bind/bind-8.2.3/src' make: *** [build-stamp] Error 2 I assume it is looking for some library that I do not have, or it does not like slink's libc, or gcc. However I don't know too much about this. Does anybody have any suggestions as to what is causing this. Or alternatively, does anybody know of a (reputable) slink version, *.deb binary file that I can download ? (I am also looking for the latest proftpd and openssh, compiled for slink). Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: Compiling bind_8.2.3-0 for slink
Hello Russell On 6 Mar 2001, at 8:09, Russell Coker wrote: > Isn't there a security update for that? There is, but the update has not been released for slink, just potato, thats why I needed to recompile it. > > The compilation bombs out with the following message: > > > > make[3]: Entering directory `/home/ian/dev/bind/bind- > > 8.2.3/src/bin/addr' > > gcc -D_GNU_SOURCE -I../../port/linux/include -I../../include -O -g -c > > addr.c gcc -D_GNU_SOURCE -O -g -o addr addr.o \ > > ../../lib/libbind.a -lfl > > ld: cannot open -lfl: No such file or directory > > make[3]: *** [addr] Error 1 > > make[3]: Leaving directory `/home/ian/dev/bind/bind- > > 8.2.3/src/bin/addr' > > make[2]: *** [addr] Error 1 make[2]: Leaving directory > > `/home/ian/dev/bind/bind-8.2.3/src/bin' make[1]: *** [all] Error 1 > > make[1]: Leaving directory `/home/ian/dev/bind/bind-8.2.3/src' > > make: *** > > [build-stamp] Error 2 > > > > I assume it is looking for some library that I do not have, or it does > > not like slink's libc, or gcc. However I don't know too much about > > this. > > Grepping Contents.gz suggests that libfl.a is in package "flex"... Thanks, that the clue I needed. For the record in addition to "flex", I had to install "bison" and "mmv", on top of what I had there already. But this was only the beginning. The thing compiled but dpkg- buildpackage bombed out because it was trying to install things into directories such as "debian/bind-dev/usr/share/man" in the build directory hierarchy - which did not exist. Trying to add them manually did not seem to help, then I added a whole lot of directories to the lists in debian/dirs, debian/bind-dev.dirs etc. This also did not work. Then I copied the contents of /usr/sbin from the potato version of the "debhelper" package into /usr/local/sbin and started making progress again. (Perhaps I could have installed the new "debhelper" - I was not brave enough to try that). There was still one more hiccup. "dh_fixperms" bombed out because it was trying to use "chown --no-dereference" - which works on potato but not slink. (Funny thing is the original slink version of dh_fixperms also bombed out - it contains the same code ..). I edited out the "--no-dereference" option in the perl code for that script and I finally got a working *.deb package. If anybody wants a copy of it, e-mail me. I think my package is a bit to "alpha" to put up on an ftp server (version no's etc will probably break on an upgrade). When you install it you still get major complaints about how the whole installation must be fixed up manually to make it work. (I have done that part dozens of times over now - I think I could have re-written the installation script by now). The thing takes longer than a kernel to compile (well it felt longer) and it has been keeping the cpu in my old slink server rather warm for the last day or two.. I think I must take some time off to read the "Packaging" manual, as I must still do proftpd and openssh ... Cheers Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Compiling courier on potato
Hello All As as follow up to recent discussions on compiling debs on "old" releases: I am running the latest Courier IMAP + POP3 on Potato. I am also planning on installing Sqwebmail (which I have managed to compile). But all of this is compiled from source and installed under /usr/local/ I was looking at the unstable debian package for Courier, courier_0.31.1-2.dsc. Build-Depends: libmysqlclient10-dev, libpam0g-dev, libdb2-dev, libperl-dev, debhelper (>= 1.1.17), mime-support The libmysqlclient and debhelper are newer than those on potato, and I cant find "libperl-dev". What chances are there to get this to compile on potato, or should I just stick with the source distribution? Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: Compiling courier on potato
Hello Jeff I tried it, and I can answer my own question ... On 9 Mar 2001, at 23:26, Jeff Waugh wrote: > > > > I was looking at the unstable debian package for Courier, > > courier_0.31.1-2.dsc. > > > > What chances are there to get this to compile on potato, or should I > > just stick with the source distribution? > > Funny, I've been trying the same thing. :) I have emailed the maintainer > about my problem too, but as yet have not received a reply. These are the > final lines of the unsuccessful build: It builds fine, but there are a few bugs ... > debian/fixlinks > /home/jdub/src/debian/courier/courier-0.31.1/debian/tmp/usr/sbin > make: execvp: debian/fixlinks: Permission denied > make: *** [install] Error 127 I had to change the permissions on "debian/fixlinks" to make it executable. Then I had to add a line: "MAILDIR=Maildir" to /etc/init.d/courier-imap to set that environment variable so it would find my Maildir directories. I think courier-pop may need the same. The installation trashed the contents of /etc/pam.d/imap (I took a copy from the potato courier-imapd package) and I had to fiddle with /etc/courier/imapd to get it to authenticate. I have not setup the pop3d, but I would expect similar problems. I had to add a few symbolic links to get sqwebmail to work, but I have still not managed to get it to authenticate. (My source code compilation did authenticate, so there can't be too much missing). I think these may be general bugs in an unstable package, as opposed to potato specific. I have a number of site where I would like to deploy this package, and if it can be by means of an upgradeable *.deb, it will be worth the effort. Cheers Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Funny Logs
Hello All I wonder if anybody has seen something like this before. We have a web server running apache which used to serve a dual purpose as a proxy cache server. The proxy cache has long since been replaced by a box running squid. However instead of removing all of the "proxy" directives from the apache configuration we set it up to cascade the requests off the squid server. This was done for the convenience of those users who still had the old proxy configuration in their browsers. At this time in history there we never any access controls on the proxy function of the apache server. As a result, until very recently we had an apace server which could be used as an anonymous proxy by anybody in the world. In practise it did very little proxying at all. Now quite recently we have been seeing logs like this: 62.226.60.13 - - [21/Mar/2001:06:22:20 +0200] "GET http://banner.eroxchange.de/life/xcshow?sunkel.8 3 HTTP/1.0" 302 0 62.226.60.13 - - [21/Mar/2001:06:22:21 +0200] "GET http://www.cyberparadies.de/banner/bannerkl2.gif HTTP/1.0" 200 1753 64.26.134.29 - - [21/Mar/2001:06:23:26 +0200] "GET http://www.eseasnavigator.com/cgi-bin/ads/ads.pl ?page=01 HTTP/1.0" 302 0 64.26.134.29 - - [21/Mar/2001:06:23:27 +0200] "GET http://www.eseasnavigator.com/cgi-bin/ads/ads.pl ?page=01;checkforcookie HTTP/1.0" 301 0 64.26.134.29 - - [21/Mar/2001:06:23:28 +0200] "GET http://ads.adflight.com/ad_3p.asp?pid=2985&sid=2 929&asid=20376&ord=44 HTTP/1.0" 302 203 64.26.134.29 - - [21/Mar/2001:06:23:30 +0200] "GET http://servedby.advertising.com/site=22437/size= 468060/bnum=62255627/bins=1/rich=0 HTTP/1.0" 302 110 64.26.134.29 - - [21/Mar/2001:06:23:31 +0200] "GET http://ad.doubleclick.net/ad/N2225.Advertising.c om/B36146;sz=468x60;ord=0985148412? HTTP/1.0" 302 0 64.26.134.29 - - [21/Mar/2001:06:23:34 +0200] "GET http://m.doubleclick.net/viewad/525454-aibo_prin ts_3x.gif HTTP/1.0" 200 15255 62.226.22.71 - - [21/Mar/2001:06:24:44 +0200] "GET http://www.adbull.de/cgi-bin/cash4adverts.pl?ban ner=sabi1999 HTTP/1.1" 302 249 62.226.22.71 - - [21/Mar/2001:06:24:48 +0200] "GET http://www.tipp24.de/jamany/partner_banner/tipp4 68x60sofa004a_neu.gif HTTP/1.1" 200 11670 So we have put access controls onto the apache "proxy" function to restrict usage to our own users. However I wonder what the motivation is. Has somebody come up with a scam for using the open proxy to up the "hit count" on banners adds hosted on his pages? If so who would be most interested in these log files? Cheers Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: "kickstart" for debian needed
Hello Duane On 27 Mar 2001, at 21:58, Duane Powers wrote: > I don't know if anyone has the details on redhat's kickstart > program, and whether that is something that could be ported to > debian... Any suggestions? At the moment we do the following: - base install (3 floppies + base.tgz from nfs drive). - break the installation when "dselect" starts - download a "configs.tgz" from the network. This contains customized versions of debian "config" files in /etc as well as other utilities in /usr/local/ and /var/www/. This configures /etc/apt/sources etc. It also contains a file "/etc/deblist" which was generated using "atp-get --set-selections". - run apt --get-selections < /etc/deblist - run apt-get --deselect-update - manually edit /etc/... to suite the particular install. This is flexible, when we change something on the network, we change in the master "configs.tgz" and all subsequent installs get it. The process is not broken when there is an upstream update - because of debian policy for "configuration" files. We have a script which backs up each machine and creates a personalized "config.tgz" file. If we have to reload a machine, we just use that one instead. (It will get upgraded to the latest "stable" stuff during the re-install process.) The problems: "apt-get --deslect-upgrade" is painfully slow - particularly on slow hardware. And you have to sit and watch and answer "y/n" stuff 'till it is finished. (Can't wait for debconf to be working on a useful level). The personalisation of the config files is slow. I think we could do with a script which runs after the config.tgz has been extracted and asks things like domain names and user names. I tried using a customized "base.tgz" that installed everything in one go. But it was too inflexible and introduced too many bugs, so we went back to the old procedure as outlined above. Regards Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: portslave
Hello Russell I am busy testing a portslave server to replace my old ancient Cyclades-Y based terminal server. The old one ran mgetty and a pppd patched for radius authentication via the radius client library. The patches have not been updated since pppd version 2.2 and the old machine still has a 2.0 series kernel. I am using portslave 2000-12-24 which I built on potato from a deb source archive a while back and kernel 2.2.19. It seems to work and we will go "live" in a few days. Do you know of a "potato" deb for the latest version, or if you have suggestions on how to get it to compile on potato, please let me know. I ran into problems with an unsupported "debhelper" version. Upgrading debhelper would require upgrading perl, by the time I have done that it wont look like a "potato" system any more. I am also not too sure if I agree with your comments on portslave doing everything than mgetty can do. I had a big battle to get portslave to work with my old modem to modem uucp clients. Regards Ian On 5 Oct 2001, at 16:02, Russell Coker wrote: > On Thu, 4 Oct 2001 17:34, Cathedral wrote: > > I`m configuring one board cylades cyclom-y and got all the board configured > > but now i can`t set the modens to work, i`ve configured the radius-client > > to authenticat on my radius-server and start pppd automaticaly. > > I have put a line like that on inittab > > > > > > C0:23:respawn:/sbin/getty -I ' AT OK AT&W0' ttyC0 (also with /dev/) > > 9600 -l path_to_radlogin/radlogin > > The modem answers the line but my win98 clients doesn`t connect do nybody > > can help me about that,i`m getting really desperated. > > That will only work for terminal authentication (the default for Windows is > AutoPPP). Also are you sure that your "-I" parameter is correct? The > documentation for the version of getty that I use doesn't indicate support > for chat scripts. > > Why not use Portslave? It answers the phone and supports full chatscript > functionality for modem configuration etc. Portslave presents a "login:" > prompt and authenticates with a RADIUS server. It also recognises AutoPPP > sequences and runs pppd with a special module so that the pppd will talk to > the RADIUS server for authentication. When the connection is finished the > details of bytes and packets transferred will be logged to the RADIUS server. > > Also Portslave supports a variety of options for running ssh, telnet, or > rlogin connections based on what the RADIUS server specifies. > > > Anything that can be done by getty, mgetty, radius-client, etc can be done > better by Portslave. > > Another thing, currently there are two active Portslave developers, me and a > Cyclades employee (the Cyclades TS4000 type boxes run a derivative of my > 2000-12-25 release). Run the latest Portslave from unstable and you get most > of the features of the high-end Cyclades terminal server boxes, plus some > features that haven't yet been copied into the Cyclades tree. > > -- > http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark > http://www.coker.com.au/postal/ Postal SMTP/POP benchmark > http://www.coker.com.au/projects.html Projects I am working on > http://www.coker.com.au/~russell/ My home page > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: portslave
Hello Russell On 9 Oct 2001, at 0:02, Russell Coker wrote: > On Mon, 8 Oct 2001 16:36, I. Forbes wrote: > The versions before 2001-06-20 all sucked in various ways. It was only in > the 2001-06-20 version that I really got the source under control. > > > Do you know of a "potato" deb for the latest version, or if you have > > suggestions on how to get it to compile on potato, please let me > > know. I ran into problems with an unsupported "debhelper" version. > > Upgrading debhelper would require upgrading perl, by the time I > > have done that it wont look like a "potato" system any more. > > Hopefully I'll have one for you tomorrow. I'll try and back-port the main > ppp package at the same time. Then you'll get the latest pppd along with the > Portslave that uses the regular pppd (saves memory). Thanks, I am looking forward to that. How does portslave work with pppd, and which versions of pppd (patched or unpatched) do you need for kernel 2.2 (which I am still running) and kernel 2.4 (which will be the next upgrade) > > I am also not too sure if I agree with your comments on portslave > > doing everything that mgetty can do. I had a big battle to get > > portslave to work with my old modem to modem uucp clients. > > Tell me exactly what you were trying to do and how it failed, if the current > version can't handle it easily then I'll add some new features. With mgetty I had a line in my mgetty (on one line): U* uucp@ /usr/bin/ssh -t -e none [EMAIL PROTECTED] /usr/sbin/uucico -l -u @ The uucp clients were not in the radius server at all. This started a session on our uucp server which did the authentication. Now I have in pslave.conf conf.ssh/etc/portslave/scripts/ssh-script And the file referenced above looks like this (mind the line wrap): #! /bin/bash # su uucp -c "/usr/bin/ssh -t -e none [EMAIL PROTECTED] /usr/sbin/uucico -x3 -u $LOGNAME" I have now added all my uucp accounts to radius, with the following settings: User-Service-Type = Login-User, Login-Service = Ssh The uucp server still has a duplicate authentication list as it accepts lots of connections over tcp/ip. Fortunately we have not sold a uucp for "modem to modem" use for over 2 years (we still sell lots of uucp over tcp/ip - but that does not effect portslave), so these are legacy clients and we only have to fiddle with the radius stuff when they close. Another comment. Portslave locks the serial port. With mgetty it is still posible to use the port for dialing out, and even for faxing. So with the a small multipurpose installations, mgetty may have advantages over portslave. > Also the recent versions have many more features regarding logins other than > PPP/SLIP, whatever your problem was I'm sure it's a lot easier to solve now > than a year ago! Is it possible to call up the patched pppd from mgetty and use radius authentication and accounting? It would be realy nice if the above were true. It would also be nice if we could combine mgetty with features of faxgetty from the hylafax package. Then we could have one "answer the modem" package which could be configured to do everything anyone can expect a of a modem. When we get that right, we can start all over again for ISDN ... Thanks for the feedback Regards Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: portslave for potato
Hello Russell I have just tried this on my potato test system. I installed the deb over my old version. I let the install script update my existing plave.conf file but I did not change anything else. The kernel is version 2.2.19 I works fine! Thanks Ian On 9 Oct 2001, at 21:13, Russell Coker wrote: > I have put a copy of the latest portslave compiled for potato online at > http://www.coker.com.au/portslave/ . I don't have a potato system to test it > though... Also it is a new version... > > -- > http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark > http://www.coker.com.au/postal/ Postal SMTP/POP benchmark > http://www.coker.com.au/projects.html Projects I am working on > http://www.coker.com.au/~russell/ My home page > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: portslave for potato
Hello Russell On 9 Oct 2001, at 21:13, Russell Coker wrote: > I have put a copy of the latest portslave compiled for potato online at > http://www.coker.com.au/portslave/ . I don't have a potato system to test it > though... Also it is a new version... I think I have found a bug with this package. We had a major power outage and everything went down. The portslave machine came back up before the radius server. It seems the pppd-radius on the portslave machine got into and endless loop trying to reach the radius server. I got the following errors scrolling very rapidly. t 12 13:42:37 nimbus port[S23]: [EMAIL PROTECTED]:1812 not responding Oct 12 13:42:37 nimbus last message repeated 15 times Oct 12 13:42:37 nimbus port[S26]: [EMAIL PROTECTED]:1812 not responding Oct 12 13:42:37 nimbus last message repeated 9 times Oct 12 13:42:37 nimbus port[S19]: [EMAIL PROTECTED]:1812 not responding Oct 12 13:42:37 nimbus last message repeated 5 times It did not stop after the radius server had come back up again. Eventually I had run "killall -9 pppd-radiusd" to kill all of the stuck processes. After that init restarted the portslaves and it worked fine again. I look forward to your comments. Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: portslave
Hello Russell On 13 Oct 2001, at 19:14, Russell Coker wrote: > I have been thinking of implementing a way of telling Portslave to pass the > port to another program to allow minicom or a FAX transmission to take the > port. I think the answer lies in by-passing radius. If we had a facility like mgetty's "login.config" file which could decide whether to run a radius based program, or a local one instead, the flexibility would go up by an order of magnitude. It would also make hacks like my UUCP one work. Perhaps the same or a similar configuration file could tell portslave how to handle incoming calls detected by the modem as being voice or fax as opposed to data calls. > > Is it possible to call up the patched pppd from mgetty and use > > radius authentication and accounting? > Sure you could have the mgetty detect the PPP frames and run pppd with > appropriate parameters to load the Portslave library. Is there a documentation for the new options on the patched pppd? > > It would be realy nice if the above were true. It would also be nice if > > we could combine mgetty with features of faxgetty from the hylafax > > package. Then we could have one "answer the modem" package > > I've been thinking of doing that. However I have no fax hardware. If > someone suggests which code I should use as a fax code base and is prepared > to test it for me then I'll add fax support to Portslave. In my opinion Hylfax is by far the best fax package. It allows Class 1 or Class 2 modems to be used. Mgetty's fax facility only allows Class 2. As over 90% of domestic quality 56k modems either have no Class 2 support, or Class 2 that is so buggy that it is not worth using this is a big plus factor. (Almost all Windows faxing software uses Class 1 mode.) Hylafax has a "faxgetty" program that answers the modem. It allows dial-out like mgetty, but it also communicates with the hylafax daemon to report on the status of the modem. It has facilities for calling alternate programs for voice and data calls. I am not sure if it can detect ppp frames. However the weak link is normally with the modems detection of the type of the incoming call (voice, fax or data), which is not very reliable. I am not sure if Class 1 modems can do this at all. On commercial sites, I normally lock modems taking incoming fax calls into "fax only" mode to guarantee satisfactory performance. Faxgetty has a few features to try and work around this limitation. A few other issues to consider: - What about call-back, is there any provision for this in portslave? - Is anybody familiar with isdnutils? How does that handle all the options of incoming calls? - Can isdnutils handle radius authentication, filters, assigned IP's etc? (Maybe it could share the radius plug in?) Regards Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: portslave
Hello Russell On 15 Oct 2001, at 17:58, Russell Coker wrote: > On Mon, 15 Oct 2001 11:18, I. Forbes wrote: > > Perhaps the same or a similar configuration file could tell portslave > > how to handle incoming calls detected by the modem as being > > voice or fax as opposed to data calls. > Sure, I could add that. Write a spec. This is an opertunity I can't pass up. Give me a week or so to have a good look through mgetty, faxgetty etc. > > Is there a documentation for the new options on the patched pppd? > > There is in the latest version which was uploaded to Debian and Sourceforge > last night. Thanks, I will have a look. > It shouldn't be that difficult to write some code that can recognise FAX as > well as PPP, they are very different... The fax and data differentiation is handled by the modem - they have different handshake sequences. If the phone line is noisy and/or the modem firmware is a bit buggy, the modem does not correctly identify the handshake. If the modem gets this wrong, then the "getty" program can't help. This does not mean that we should not put the facility into portslave. Regards Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Journaling FS for Production Systems
Hello All I am looking at moving some of our "potato" based production servers onto woody, and at the same time upgrading onto a journaling FS. I need the FS to meet the following in order of importance: - MUST BE STABLE (our income depends on uptime!) - Must be supported in woody, without too much extra fiddling. - Good "power switch abuse" recoverability. EXT2 is pretty good, except if you have multiple reboots, you need to run fsck manually (at least with the standard debian init scripts). I can live with fsck, but I would prefer no manual intervention. - Good performance for "Maildir" directories. (We run Exim, Courier IMAP and SQWebmail as standard). - Software RAID 1 disk mirroring on IDE drives. Something new but very necessary. - Suitable for use on a root file system on a machine with one partition. - (Availability of boot/installation disks would be nice. We currently do installations from 3 stiffy disks and the rest from the LAN using nfs/ftp/http) - File system quota support (nice but not essential). - NFS support would be nice to have, but not essential. Without wishing to start a flame ware, can anybody give me a quick run-down on which of the above criteria new generation file systems, like Reiser, XFS, EXT3, etc meet. Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: Journaling FS for Production Systems
Hello Paul On 6 Nov 2001, at 15:19, Paul Fleischer wrote: > I would either go with ext3 (which even is ext2 compatible AFAIK) or > XFS. They really seem to be the most stable. Reiser is not bad, but I > have had some terrible experiences with it - however, I do still use it, > it is nice, but IMHO not suited for production systems yet (allthough I > beleive that many people do actually use it in production). This comment seems to be typical of the responses I have had so far. Based on this feedback, I think, we will stick to ext2 on the customer boxes for the moment and probably also kernel 2.2, but we will start migrating onto woody. However I will setup a journaling Maildir box in our office and see how it goes. (Production yes, but still under close supervision). But I have two followup questions: - Does ext3 have any performance bennefit over ext2 when handling large Maildir directories? - It seems, that at this point in time, xfs is more stable than reiserfs. However I am not sure if that is because fewer people have tried it, and hence fewer people have experienced problems. Are there many xfs users our there? Is the development active? If not is it because the xfs is stable, or has the xfs initiative lost momentum? Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: Best way to duplicate HDs
Hello All I am not sure that I understand what the original poster wishes to achieve, nor have I followed the lengthy discussions that ensued. But, a thread with the above subject line would not be complete without a mention of "mirrordir". Someone wrote: > > Sigh... and I was hoping for a simple solution like cp /mnt/disk1/* > > /mnt/disk2/ Try apt-get install mirrordir mirrordir /mnt/sourcedisk /mnt/targetdisk Everything including soft links, hard links, devices files, fifo's, permissions etc, will be mirrored, with a minimum of changes on the target disk. Mind that you do not mix up the "source" and "target" paths, otherwise you will end up wiping your original drive. If you want to "ghost" a complete linux file system to replace a small drive with a larger one, the recipe is this: - power down and install the target disk on secondary port, reboot. - partition target disk (fdisk, cfdisk). - create file systems (mkfs) and swap partion (mkswap) on the target disk. - mount the target disk on /mnt - create and mount points and mount other partitions on target drive (eg mkdir /mnt/boot, mount /dev/hdc1 /mnt/boot). - change into single user mode (init s) - mirror the drive, "mirrordir --exclude /mnt -exclude /proc / /mnt" (These excludes save a lot of trouble) - mkdir /mnt/proc, mkdir /mnt/mnt (This also save a lot of problems later). - power down and remove original disk - reboot with the target disk mounted as root / using an external recovery disk. - run install-mbr to put a boot record on the target - run lilo to make the target bootable. - reboot. The original poster could probably achieve what he wants by running the "mirrordir" statement from crontab every 24 hours. Have fun Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: Mass installation procedure for Debian?
Hello Oliver On 2 Feb 2002, at 12:33, Oliver Andrich wrote: > I have to deal in the near future with a lot of Debian machines, that I will > setup and configure for two customers. I like to develop or use some mechanism > for mass installation of these machines, and for easily setting up a spare > part machine if one crashes. We use this installation procedure. It is not really "mass" but can generate a debian stable machine tailored for our customer's requirements quite quickly. These are not identical machines - each one goes to a new customer with specific requirements. Also each machine can, and often does, have different hardware: - Boot off boot floppies - Load base.tgz over the LAN from our mirror server. - Follow prompts on debian setup to setup network, DNS, apt sources, root password, user account and password etc. - Break out of the installation process when dselect is started. - Download a "tar.gz" file which has various customized things in it. This is unpacked into /etc, /usr/local and /var/www. - Run dpkg --set-selections < /etc/deblist (deblist is one of the files in our tarball). - Run apt-get and let it install the required packages. Note the contents of our /etc/ files are typically listed as configuration files. When dpkg asks if you want to overwrite them, we say NO. - We do some global edits on /etc. For example if our tarball has customerdomain.com we search and replace it with the customer's real domain. We use mc for this and manually check each replacement just to make sure. - If there are packages required which are not on our standard list, they get installed last. This often includes a customized kernel. - Each machine is fully tested. DNS, dhcp, samba, isp dial-out, ras dial-in, mail in, mail out, proxy server etc. - Details of the setup are documented and the machine is ready for delivery. The slowest part of the job is waiting for dpkg to run all of the install scripts. With decent hardware it is not really too bad. Testing requires some application of grey matter. When we are under pressure, we can get a production ready e- mail server or webserver out in under an hour. I have done quite a lot of development with the contents of the tar.gz. We also use a detailed check list. I have tried setting up a custom "base.tgz" but that was to fiddly and to prone to bugs. I also looked at customizing the install disks, but backed off from that too. Maybe when I get a bit more time... We also have a script for backing up /etc and a few other key files and directories into a tar.gz file and rsync-ing it onto our backup server. We run the script whenever we work on a customers machine. If the machine has a disk crash we can rebuild it from scratch, using the same procedure and the backup tar.gz file instead of the generic one. Regards Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: dist-upgrade on remote server
Hello Andreas It should be possible. I upgraded a number machines from slink to potato - remotely but I have not started on remote potato to woody upgrades yet. If helps if you have practised on a local machine. I suggest you take a few precautions: - use apt-get -d to download everything you need before you start. - open 3 or more ssh sessions. Setup a ping in the spare sessions. Then if you loose your main one, the others should still be open to give you a "back door". This can save you if something crashes during the setup of the new ssh. - use "script" or something similar to keep a record of the screen dump. Then if you miss a warning or error you can go back and read it. - be vary careful before you do anything that changes ipchains rules. - be vary careful before you re-boot the machine. Let me know how it goes. Good Luck. Ian On 4 Feb 2002, at 15:16, Andreas Rabus wrote: > > Hi, > > there was an thread about potaota/woody on the weekend, but i didn't get an > important answer: > I'd like to "dist-upgrade" our potato InternetServer in production to woodo > and i have only a ssh and telnet-ssl connection to that box. > > So, what's the best way to do it? > > If i lost net connection, i'm stuck. (Grab a monitor, a keyboard etc. take > it to the cellar of the box at the other end of the city, reboot, wait, > repait and menawhile i got a few hoers downtime...) > That's s.th. i'm afaraid of so i should try to avoid it... > > But how can a connecten get lost whiel dist-upgrade and what can i do to > avoid this? > > I have an other box wich ist nearly similar t that interbox in the LAN, so i > can try it there first, but they dont share the network connectin and > config. An i can't switch boxes, the are to different. > > Has anybody done s.th. like that before? With succes? Failed? > > ar > > Andreas Rabus > entity38 AG > > Theresienstraße 29 > 80333 München > > Tel +49 (89) 286772-27 > Fax +49 (89) 286772-21 > ISDN +49 (89) 286772-30 > ICQ #132675697 > > [EMAIL PROTECTED] > www.entity38.de > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: AW: dist-upgrade on remote server
Hello Andreas You should be able to upgrade potato to woody with a 2.2 series kernel. You can compile/upgrade your kernel after the debian upgrade. I would prefer to compile and test the kernel on a local machine and create a "kernel-image...deb" file. Then copy this onto the new server and install it with dpkg. But then you need to have the same hardware on your local machine to test it with. Regards Ian On 5 Feb 2002, at 14:35, Andreas Rabus wrote: > > Is it possible to compile a new kernel befor the reboot? > Whats about > Our remote box has an RAID Controler from GDT whos driver surely is not in > the default kernel... > > > -Ursprüngliche Nachricht- > Von: Donovan Baarda [mailto:[EMAIL PROTECTED] > Gesendet: Dienstag, 5. Februar 2002 14:08 > An: I. Forbes > Cc: Andreas Rabus; debian-isp@lists.debian.org > Betreff: Re: dist-upgrade on remote server > > > On Tue, Feb 05, 2002 at 11:52:49AM +0200, I. Forbes wrote: > > Hello Andreas > > > > It should be possible. I upgraded a number machines from slink to > > potato - remotely but I have not started on remote potato to woody > > upgrades yet. If helps if you have practised on a local machine. > > > > I suggest you take a few precautions: > [...] > > - be vary careful before you re-boot the machine. > > I just had to travel to a server that failed to come up from a reboot after > remote upgrade to woody. The problem was kernel-2.4.17's initrd stuff didn't > automaticly load the AHA-2940 module... In the 2.2.x series kernel this must > have been compiled in, but for the new 2.4.x series it needed an entry in > /etc/modules. I ended up manualy running modconf to add it in, then > dpkg-reconfigure'd the kernel to make sure the initrd had it in. Another > option that _might_ have worked is installing discover... > > Just something else to be wary of :-( > > > -- > -- > ABO: finger [EMAIL PROTECTED] for more info, including pgp key > -- > - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Diverting smtp traffic
Hello All I have an old e-mail server that is still accepting e-mail for some domains. The MX records for these domains are controlled by other parties and getting them changed would be a bit of a mission. At the moment this server forwards all e-mail to my new e-mail server. However in the process I loose some control. Particularly the anti-spam, anti-virus configurations etc are not on the old server. What I would like to do is forward all TCP traffic on port 25 on the old server directly to the new one. I have tried "ipmasqadm -- portfw" but there is no masquerading involved and it does not work. I could also user "redir" or "xinetd" but these will hide the originating server IP address from the receiving server. That would mess up RBL controls and may even open up an open relay! Has anybody done this before? The machine is running potato with a 2.2.19 kernel. Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: Diverting smtp traffic
Hello Jeremy On 14 Feb 2002, at 9:14, Jeremy C. Reed wrote: > > old server directly to the new one. I have tried "ipmasqadm -- > > portfw" but there is no masquerading involved and it does not work. > > Does not work? (Show us.) This machine has two network cards, one with masquerading onto a private LAN. However the second mail server is on the public side. There is already forwarding of certain ports to machines inside the LAN, which works perfectly. So the kernel must have all the correct options compiled into it. However > Try something like: > > ipmasqadm portfw -a -P tcp -L 192.168.0.1 25 -R 192.168.0.2 25 This is exactly what I am running, but it does not work. (It would work if the redirected IP was already being masqueraded.) >From /usr/share/doc/netbase/ipmasqadm/README.portfw.gz Port forwarding uses the existing masquerading scheme to do all the rewriting of packets. The masquerading table (what you see when you type netstat -M or ipfwadm -M -l) is setup as if the connection started internally. Which may give a clue why it does not work on IP's for which there is no masquerading configured. > Your remote interface needs to listen on the original IP too. Yes, I have checked that. It seems I will have to upgrade to kernel 2.4. I thought there might be an inetd replacement that could do this (with correction of the source address IP). As this is an old stable machine, and I don't want to fiddle too much, I think I will try another option - updating the mail server configuration to match that on our main server. Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: Upgrade a mail server
Hello Craig On 19 Feb 2002, at 10:38, Craig Sanders wrote: > i'd love to convert it over to Maildir/ but haven't yet found any way > that doesn't involve many hours of downtime while converting the > mailboxes from mbox format to Maildir. I did this a while back. It is possible with very little apparent downtime. (We are using Exim and Courier): - create Maildirs for all users. (This is important if both your POP3/IMAP software and MDA are not configured to create missing Maildirs "on the fly"). - change your MDA to deliver into the new maildirs (At this stage new mail is not visible to users when it arrives - but they can still see their old mail. The downtime for this phase should be short) - change your POP3/IMAP programs to pick up mail from the maildirs. (At this stage old mail is not visible to users, but new mail is. This should not be too much of a problem - if users have left MB worth of mail in their boxes, they can't want it too badly, it is when new mail is not available that people complain.) - run your script which reads the mbox files, and delivers to maildirs. My script renamed the mailbox files just after they had been converted, so I could restart the script without incurring duplicate deliveries if (when) the script crashed. - By the time the script finishes, all mail is visible again. - Keep the old mbox files around for a few days just in case you discover a problem ... No corruption, no duplication, no mail lost, no file locking, no error messages on client desktops, not too much loss of service and very few support calls. Have fun! Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Problem with RAID1 on kernel 2.4
Hi All I have just spent many hours trying to setup raid1 on a machine with an hpt366/htp370 ide chipset. The machine has 3 ide hard drives as raid 1 + 1 hot spare, and a CD Rom, each device has its own IDE interface. The chipset has 4 ide ports and is supported on kernel 2.4. The chipset has raid "features" but as I understand it these are implemented via a software disk driver, typically on Windows. There are patches for kernel 2.2 and some weird drivers from the manufactures web site which I think do the same under Linux. However kernel 2.4 has native support for the chipset and the other development seems to have stopped. With 2.4 running I was presented with /dev/hda, dev/hdc, /dev/hde, /dev/hdg for the drives. I installed linux raid1 for raid support. I installed a standard debian 2.4.17 kernel and just enough packages out of woody to get it going. The rest is potato. After a long night I think have got it all going. However there are some areas that I am still not sure of: 1) The initrd is massive about 3mB, I hope that means I will always have all the modules I will ever need at boot time, and I assume the RAM is freed up by the time the system is running. I increased the size of my boot partition to 15 mB, but otherwise this is not really a problem. Notwithstanding the above, I put a long list of modules in both /etc/modules and /etc/mkinitrd/modules. (ide stuff, md, raid1, ext2 ext3 etc), I am not sure how much of this was necessary. 2) Then I had endless problems with raid1. It seems that the "failed-disk" directive in /etc/raidtab does not work. I think it has something to do with devfs - which is compiled into the standard "woody" 2.4 kernel. proc/mdstat shows the drives with their devfs names not the old /dev/hd.. names. While all the other directives seemed to work, using standard /dev/hd.. names and I could build the raid, if I did a raidstop, followed by raidstart, it would not start again. Rather it gave me an error relating to the partition listed as "failed-disk". The only way to get it running again was with a mkraid --really-force option. I tried installing debian's devfsd package but did not solve the problem. Maybe there is some clever customization required to make it work. Putting the full devfs names into /etc/raidtab did not work. Maybe I did not have everything setup correctly or I got the names wrong. I could not find any devfs devices in the /dev directory. After lots of manipulation I managed to build a working system from a single disk to raid1 on all partitions, without relying on failed-disk, and it all seems to be working now. I am not sure how much is related to the chipset, or whether this is a known issue with kernel 2.4. In hindsight, I should have compiled a new kernel without initrd or devfs and made all the raid and ide modules built in. I actually tried this but after two or three compilations without getting a kernel with the right configuration, I thought doing it the other way might be faster. Has anybody else been down this road yet? Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: Problem with RAID1 on kernel 2.4
Hello Russell Thanks for your comments. On 26 Feb 2002, at 11:32, Russell Coker wrote: > > 2) Then I had endless problems with raid1. It seems that the > > "failed-disk" directive in /etc/raidtab does not work. I think > > it has something to do with devfs - which is compiled into the > > standard "woody" 2.4 kernel. > > No. failed-disk has always worked fine for me with devfs. I have not been able to reproduce the problem again. However I think I had the index values in the raidtab file wrong. I had raiddev /dev/md0 raid-level1 nr-raid-disks 2 nr-spare-disks0 chunk-size4 persistent-superblock 1 device/dev/hda5 raid-disk 0 device/dev/hdc5 failed-disk 1 device/dev/hde5 spare-disk 3 when it should have been raiddev /dev/md0 raid-level1 nr-raid-disks 2 nr-spare-disks0 chunk-size4 persistent-superblock 1 device/dev/hda5 raid-disk 0 device/dev/hdc5 failed-disk 1 device/dev/hde5 spare-disk 0 NB note the last line of each block. The man page shows and example but it is not clear on how the index numbers should be set. I have not had a chance to rebuild the raid to see if this was in fact my problem. The server is running and serving web pages ... And yes, I am using raidtools2! Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: Problem with RAID1 on kernel 2.4
Hello Russell Yes it was "nr-spare-disks 1" I just cut and copied setup from another machine and edited to illustrate my message. I missed the spare disks. :-( At least raidtools2 shouts very quickly when you do that (I know!). Thanks Ian On 27 Feb 2002, at 15:14, Russell Coker wrote: > On Wed, 27 Feb 2002 14:53, you wrote: > > when it should have been > > > > raiddev /dev/md0 > > raid-level1 > > nr-raid-disks 2 > > nr-spare-disks0 > > Surely that should be "nr-spare-disks 1"? > > > chunk-size4 > > persistent-superblock 1 > > device/dev/hda5 > > raid-disk 0 > > device/dev/hdc5 > > failed-disk 1 > > device/dev/hde5 > > spare-disk 0 > > > > NB note the last line of each block. > > > > The man page shows and example but it is not clear on how the > > index numbers should be set. > > The man page for mdctl is worse... :( > > -- > If you send email to me or to a mailing list that I use which has >4 lines > of legalistic junk at the end then you are specifically authorizing me to do > whatever I wish with the message and all other messages from your domain, by > posting the message you agree that your long legalistic sig is void. > - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: Admin for E-MAIL users only
Hello rj On 4 Jul 2002 at 18:55, rj wrote: > What is the best way to delegate some root privileges for a user > which could only create e-mail accounts and make newaliases? I have written a bunch of scripts in Python, that use the "super" utility to give effective root access to certain users for pre- defined tasks. It uses the "python-newt" user interface to give a full screen text mode interface like the debconf's "dialog" one. The real work is done by adduser, userdel etc. It also has a module for adding and removing entries from the /etc/aliases file. As with most sys-admin scripts, it is a bit beta, but if somebody is interested I could make it available. Regards Ian PS: I have had in the back of my mind a web server which would authenticate the user, then spawn a child process under that users ID. All further connects belonging to the authenticated session should be piped through to the child for processing. The child could then run a bunch of webmin type scripts to do things that could otherwise be done from the command line with user permissions. The child process should last as long as the session. When the sessions is closed or times out the server should kill the child and clean up. This would prevent a new interpreter from getting started for every click - as is the case with a conventional cgi script and also prevent the parent server from getting crashed by poorly written client scripts. Has anybody seen something like this. Maybe something that supports Python scripts? (I could not find one, so I used the newt interface instead ...) - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: multiple webcams via one linux box
Hello Bernie On 23 Aug 2002 at 10:06, Bernie Berg wrote: > Hi, I have a project that could potentialy have 85 webcams. The easy > thing to do would be to use an Axis network camera and just link to its > own webserver from my linux web server (or whatever). But these run > about 300 bucks, that would be about 25 grand for 85 cams. X10 on the > other hand (I hate their website, it looks like to is from 1994), has > much cheaper cameras, and they are wireless. You can get a usb adabpter > to input them into a computer. Ummm, anyone have luck linking 85 usb > webcams into one linux box? Anyother sugestions? I have tested two "Dexxa" webcams (compatible with Logitec Quickcam Express), on the same USB bus. I set it up to take alternating snap shots from each camera. This works well and could be expanded to more camera's. However the limitation was the USB cabling. With hubs and extension cables and hubs, things start getting unreliable after about 15m. Have fun and let me know what you learn! Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: multiple webcams via one linux box
Hello Bernie On 26 Aug 2002 at 9:56, Bernie Berg wrote: > > I have tested two "Dexxa" webcams (compatible with Logitec Quickcam > > Express), on the same USB bus. I set it up to take alternating snap > > shots from each camera. This works well and could be expanded to more > > camera's. > > That should work, but at 85 cams this could get kinda messy. How fast > can you alternate? I ran 1 image every 15 seconds per camera, with 2 camera's, which was enough for my requirement. There is a very real finite limit to the bandwidth on USB. I don't think this will scale to 85 cams on one bus. You could try and split them over say 4 buses and aim for a refresh rate of 1 pic per 5 seconds per camera. It will depend on the resolution of each picture. > If I used the wireless x10 cams with usb adapters I don't think I would > reach 15m. The problem I think I would have with the x10's are that one > receiver controls a number of cams (3 I think) and you can switch > between them (at least that is how the windows software works), but I > need them to all act independently. I've tried contacting x10 to ask > some technical questions but the hold times are too long and they don't > reply to emails. I don't see all of those wireless controllers expanding to 85 camera's. (Do they have enough independent channels and enough range?) I am going to try "thin client" boxes on a network, each with say 4 cameras - the limitation being the USB cable lengths. 2 Boxes and 8 camera's should meet my requirement. But each box will need power and a place to live so this probably won't scale to 85 cameras either. Your installation will be quite large, have you talked to any "professional" companies? I would hate to be running around a site chasing 85 "domestic quality" web cams when one or another of them keeps dying for unknown reasons and the supplier does not answer the phone! Regards Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: New approach with removable IDE RAID Backup (was: Tape Question)
Hello Christian On 28 Aug 2002 at 0:39, Christian Hammers wrote: > On Wed, Aug 21, 2002 at 04:14:09PM +1000, Craig Sanders wrote: > > > I have a big size file about 33G in /home directory !!! and i wanna > > > backup this file into tape device > Why tape, buy a ATA (IDE) RAID controller that allowes hot swap and hot > plugable devices (e.g. 3ware). Then setup a raid1 between two harddiscs. > > Whenever you like to do the backup simply mount that array, rsync /home > to it and umount again. The next morning, exchange one of the discs agains > a new one, the discs are your backup medium. The new disc will be rebuild > automatically and be available for the next backup after a few hours. > Any comments? We currently do this with 40 GB IDE drives, using Linux software raid1 and COLD swapping. (The server gets shut down twice a week). There are three drives. One permantly mounted, one in a removable drive bay in the server and one at home. Once a week I shut down the server and take the removeable drive out. I boot the server with one drive and take the removeable one home. Next day I bring the other drive back, shut the server down again and plug it in. Boot the server and start the raid started manually. We have live raid in the office and an offsite backup. Simple cheap and effective. (Note the three drives are never at the same place at the same time.) Regards Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: Bandwidth... compression... saving $$?
Hello Jason On 3 Sep 2002 at 6:49, Jason Lim wrote: > Lots of email... lots of mailing lists... i imagine that compressing > emails (of which i get maybe 50-100 each day... a chunk of that is spam, > but nonetheless it uses bandwidth) would yield very high compression > rates. We use uucp mail for dial-up mail servers. The mail is routed into our main server with smtp. We compress each file with gzip before dropping it in a uucp spool. Each dial-up server collects its mail via uucp, uncompresses with gzip and then feeds it on to exim for local delivery. We handle 300 to 500 mB of this mail per day. I have never stopped to check what the compression ratio of incoming to outgoing e-mail is. However the outgoing volumes are significantly lower. Anti-spam and anti-virus stuff on the main server filters out quite a lot junk too. How about getting yourself a server in HK. Set it up with uucp + gzip, and download it from your server in Australia. At least this is much simpler to setup than tunnels etc. The uucp is extremely solid - it never looses a byte of mail. Another consideration though, is the ratio of local to international e-mail. We have a similar (probably worse) situation with monopoly pricing in South Africa. I have considered hosting our mail server overseas. But that would mean a lot of mail gets round tripped, from SA overseas and then back to SA. Regards Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
DNS zone file audit tool
Hello All I am looking for a means to audit our DNS zone files. Particularly I need something that checks that their are still upstream NS records pointing to our server for each domain that we host. Also I would like to check that our NS records point to valid name servers (particularly with secondary nameservers) and that our reverse DNS PTR records point to domains with valid A records. I am looking for a Debian friendly utility to help with this. I have had a look at nslint but it does not seem to do what we need it to do. Any other suggestions? Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Debian Security Survey
Hi Joey With regards to your "Debian Security Survey" (http://lists.debian.org/debian-devel-announce/2002/debian-devel- announce-200211/msg1.html). Thank you for giving us the opportunity to listen to our feedback on the issue of security updates for Potato. We are a small ISP, but we have specialized in setting up and maintaining e-mail and web-servers for our customers. We currently have over 70 servers under maintenance running Debian Linux. Of these 10 are running Woody, the rest are still on Potato. Virtually all of these servers are on remote customer sites. Most of the Potato servers are on analogue or ISDN dial-up connections. To upgrade Potato to Woody requires a download of about 100mB - which is obviously a slow process. We have quite a lot of carefully configured software on these servers. Thus we have been moving to Woody quite slowly and monitoring the systems for quirks in the upgrade process. When we are happy that we are making the "best use" of Woody we will start upgrading these servers "on mass". I expect this to be sometime in January next year. Even then it will take weeks to get them all upgraded. There may be some that we would prefer not to upgrade at all due the the nature of the hardware, limited usage etc. Fortunately all of the dial-up boxes are on dynamic IP's which makes them far less vulnerable to scanning and intrusion than permanently connected hosts. In addition we have one system which is running WAN router hardware as well as a multipoint serial card for remote dial-up access. This has a customized kernel (ver 2.2.19), customized advanced routing (using "ip route"), snmp, and a lot of scripts for monitoring and logging. Of course it is live 24/7 in a production environment. Upgrading this box is going to be a project all on its own. We have already completed the upgrade of our main in-house webserver and mail servers. These were fairly big projects as they have customized setups, scripting etc. They also host many domains and many users so we had to devise strategies to complete the upgrades without causing too much disruption to the customers. We have had development systems running Woody for a year or more. I hope the above gives you an idea what the challenges are involved in upgrading to Woody. I think many other people are faced with similar tasks. It is important to understand that the slow pace of the upgrades is often not due to a late start or a lack of interest, but rather due to a large amount of caution when working with production systems. I would like to see: - Full security support for Potato for at least another 3 months. - Limited security support for a longer period. For example it would be very nice if Debian Security could make a commitment to release updates for Potato, for any relevant vulnerability listed in a CERT (http://www.cert.org) advisory for a period of say 12 months. The idea is to at least fix remotely exploitable vulnerabilities that do not require the attacker to have knowledge of a local account password. I mentioned CERT as they seem to be very conservative. They do not issue advisories before the exploit has been verified and is deemed to be a significant risk. Thus many of the DSA's cover vulnerabilities which do not make it into the CERT lists. Yet a very large percentage of compromised servers are compromised via vulnerabilities that have already been published in CERT advisories at the time of the intrusion. As no new software has been added to Potato for years the actual number of security releases required to implement the above should not be all that large. Potato was the preferred stable version of Debian for a number of years and there must be a very large number of machines installed with this version of the distribution. Many of the people who installed Potato, chose Debian because they were installing it on publicly accessible production servers. Debian is probably still the best distribution for a stable secure Linux system. It would be unfortunate to disappoint those people now. Thanks Ian Forbes - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: [SECURITY] [DSA-196-1] New BIND packages fix several vulnerabilities
Hello All The latest bind fiasco seems a bit of a mess: I only hope that these packages will plug the holes: > These problems have been fixed in version 8.3.3-2.0woody1 for the current > stable distribution (woody), in 8.2.3-0.potato.3 for the previous stable > distribution (potato) and in version 8.3.3-3 for the unstable distribution > (sid). The fixed packages for unstable will enter the archive today. But I predict that there will be several more DSA's and upgrades before the problem dies down. With regards to this suggestion: > We recommend that you upgrade your bind package immediately, update to > bind9, or switch to another DNS server implementation. We dropped sendmail many years ago and I think it may be time to drop bind. What experiences do others have with alternate DNS servers? Unfortunately DJB's software is not an option for us. We tried working with his licence with qmail for a couple of years but we ended up chasing our tales with custom installations, patches and a general lack of progress and maintainablility. So we dropped qmail for exim. It will have to be something with a DFSG compliant licence that replaces our bind. (This is a pity, because DJB has written some excellent software.) Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: ISP Billing Software / RODOPI
Hello Kirk On 25 Feb 2003 at 14:08, Kirk Ismay wrote: > Finally, one thing I've been considering is to use SQL-Ledger > (http://www.sql-ledger.org/) as a core accounting system and re-write my > recurring billing and provisioning programms as add on modules. I can't > promise that I'd be able to do this, but if there are interested > co-developers / potential users email me off list. I'll use those as an > argument to not abandon our in house code and open-source the project. > Thank you all for your time and input. We are also looking at this route. Currently we run a Windows based system for generating recuring invoices and tracking customer payments. We use SQL-Leger to keep the "books". Monthly totals from the Windows system are carried across into SQL-Ledger manually. The SQL-Ledger replaced a commercial Windows accounting package. Since we changed, we have never looked back. In terms of usability and flexibility, SQL-Ledger is tops! Now we are rewriting the Windows stuff with a postgres back end and python cgi interface. This will make calls to the SQL-Ledger API to generate the recurring invoices. The invoices, statements and payments will be handled by SQL-Ledger. (Currently our Windows app does that). My guess is that everybody has their own specific requirements. Our focus is on the business market. We do not have a direct interface between our accounting system and our radius servers. We don't use traffic statistics to generate invoices and we do not have an "on- line" interface for customers. We also do not take credit card payments. So we wont be looking at any of these "features" soon. I suspect that we will be stretching SQL-Ledger's abilities, but I have every confidence that we can deal with any shortcommings that bother us. Development on SQL-Ledger is very active and most of the limitations are already being addressed. If there are others working on similar projects, I would be happy to co-operate. Regards Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: 400 000 mails in 12 Hours
Hello debian-isp On 27 Feb 2003 at 12:10, debian-isp wrote: > I have the task of setting up a mailserver capabel of sending 400 000 > mail in a max time of 12 hours. All mails have an attachment of 1 mb. > The system should be a mailer for a newsletter system. As I made quite > a couple of things with postfix, my concern is the amount and > considerations which have to be made when handling such an amount. I have a problem with this. I cannot imagine any scenario which would justify sending out 400 000 e-mails with a 1Mb attachment. The chaos that this will cause to your recipients and the ISP's that host their e-mail will be very significant. You are likely to find yourself subject to many complaints, and a listing on "Spamcop" is a distinct possibility. So before you look at the technicalities of sending the e-mail server, try and answer the following first: - Have all 400 000 people indicated their willingness to receive this e-mail? I can't believe they are employees of an organization, and even if they are clients of a bank or insurance company, it does not mean they would all be happy to get your e-mail. - Does the attachment have to be 1 Mb? Unless it contains essential graphs or maps, it should be possible to make is smaller. 1 Mb of text can hold a very large amount of information. - Would it not be better to distribute the file from a web site or ftp site, and e-mail a link from where it could be downloaded? I manage an e-mail list on behalf of a club. There are about 100 paying members on the list which is used to distribute a news letter about once a month. Some members are keen to see some pictures in the news letter - which obviously adds to it's size. If the file size is held at 500 to 700 kb it usually goes through without problems. If the file size exceeds 1 mB we have had up to 30% bounces, complaints and a variety of other problems. Every issue I have to negotiate with the editor to get the size reduced! (This is the size of the file that gets attached, the e-mail is significantly bigger.) Good Luck Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
ANNOUNCE: "pyscan" Anti-Virus Filter Software
Hello All I have put together an antivirus filter for use with Exim. The filter is written in Python, and it works by examining Mime headers in e-mail messages. It does not make use of a pattern database. You could describe it as an upgrade to the antivirus Exim system filter published on the Exim website. However it has comprehensive Mime parsing capabilities and features for sending virus notification to both senders and recipients. It is similar to the application "mimedefang", but it is not dependent on "procmail" and works for incoming, outgoing and relayed e-mail. I have developed on a Debian "woody" server running Exim 3.35. It has worked well on one of our production servers for over 6 months, handling about 500 mB of mail (over 1 messages) per day. I think there may be others who are brave, and interested enough to want to try it. So I have published it on my web site at the following URL: http://www.zsd.co.za/~ian/software/pyscan/ It is free, GPL licence. If there is any significant interest, I will setup a mailing list for interested users. Regards Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Http server with authenticated user suexec cgi's
Hi All I have been playing with scripts to implement some "intranet functions" via a webrowser cgi interface. However I quicky run into a problem with all cgi scripts running with a single uid/gid (normally that of the apache server). To make things work, I must give the httpd server user more rights than I want to (or make the cgi's suid root). What I am looking for is an httpd server + session manager that will: - Serve a default login page. - Authenticate a user via the system password files. - Setup a session for that user and keep track of that session. - Set the uid/gid of all cgi's launched on behalf of that user, to be the uid/gid of that user. The idea is to be able to write simple cgi's to do things like modify a ".forward" file, or connect to a database with that user's gid/uid. Has anybody been down this road before? One idea, I notice that the ftp server always runs with the uid of the user, once the user has been authenticated. I wonder if one could use an ftp server to launch cgi scripts? Would the browser still display the resulting html correctly? Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Http server with authenticated user suexec cgi's
Hello Dustin On 2 Apr 2003 at 8:07, Dustin Douglas wrote: > I don't know of anything that does everything that you want, but a > good starting point might be the apache suexec docs. For apache 1.3.x > they can be found at http://httpd.apache.org/docs/suexec.html > > Implementing the desired functionality is left as an exercise to the > reader. Apache suexec will not do this. This runs the cgi scripts with the uid of the "owner" of the website, where there are many websites with many "owners" on the same server. I am looking for a system to run the cgi scripts with the uid of the authenticated user. Ie, one server, one web site, many system users each running the cgi's with their own uid. This is the same security situation as a user logging in via a telnet prompt and running system utilities like "ls" or "vi". Except I want the user to login via a web page and run cgi's to make things more user friendly. Regards Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Sharing ppp conections without chanel bundling
Hi All I am looking that the posibility sharing traffic through two pppoe conections without chanel bundling. I want to use a linux box as a NAT router, but the outgoing ip's must be shared in "round-robin" fashion between two ppp interfaces. Obviously each tcp connection will be linked to one outgoing ppp interface (eg ppp0). But the next one should pickup the next ppp interface (ppp1) etc. Thus each ppp conection should provide a default route. Can Linux kernel + iptables handle something like this? Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH access restrictions
Hello Rudi On 18 Oct 2003 at 11:23, Rudi Starcevic wrote: > Is there anyway to resistict a non-root user's shell account ? > > For example once he/she is logged in is there any way to deny, say, > reading the /etc/passwd file ? We have a set-up that uses "rbash". The client gets "rbash" as a login shell and his path is preset to a directory that has a few chosen executables in it. (In our case this is not much more than rsync). I suspect a determined hacker could get around this, but it discourages most abusers. Regards Ian -- Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH access restrictions
Hello Rudi On 21 Oct 2003 at 22:58, Rudi Starcevic wrote: > Though I'd post something I found on the net about rbash. > I haven't tested it yet. > > [quote] > > But it's possible to get out from this chroot. > > woockie_at_twoflower:~$ cd .. > rbash: cd: restricted > woockie_at_twoflower:~$ vi foo > > in vi: > :set shell=/bin/sh > :shell > woockie_at_twoflower:~$ cd .. > woockie_at_twoflower:/home$ > > [end quote] > It's disappointing if it's that easy. > Still if they do get out and misbehave you could catch them > with monitoring. Our rbash shells don't have access to vi ... or much else! Their path is set to "/usr/local/lib/rbash-bin/" and that directory has sym-links to a few selected binaries. Still I don't regard the rbash setup as secure. Regards Ian -- Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Tarpit SPAM trap
Hello All
A professional spammer is using a forged "From:" header line
which quotes a non existant address at one of our domains. Every
spam he sends to a bad address gets bounced to us. We are
running qmail, which by default, accepts these bounces then
handles them as "double bounces".
To give you an idea of the scope of the problem we have received
about eleven thousand bounces with the same forged address over
the last month. All of the Spam was launced from AOL, and relayed
using a whole list of open relays - many in Eastern Europe and the
Far East.
We send copies of this spam to [EMAIL PROTECTED] on a daily basis.
The only response I have ever had from AOL is from an
autoresponder. Sometimes we send copies to the relay machine
admins, usually "abuse@" bounces and sometimes
"postmaster@" bounces too. I have never had a reponse
from any of them.
The problem is an irritation to me and obviously to all of the people
who are getting the spam. My plan is to convert the qmail to exim
(this is part of a larger project, which is why I have not done anything
yet) then let exim refuse the bounce messages with a 500 error
before they are accepted.
Then this was posted on debian-isp@lists.debian.org
On 1 Mar 00, at 20:38, Michael Koehne wrote:
> Last (if you're realy desperate) install a "Teergrube". The so called
> tar pit is abusing the dash ("-") feature SMTP uses to keep alive, to
> hold an IP connection open for ever, if it comes from a host on the
> rbl list. This will cause the spaming host to go down, as any operating
> system has a limit on open sockets.
>
> Try to surf around with the keywords "Teergrube" or "Tarpit" and "SMTP"
> to get some patches for sendmail.
Ouch! This sounds pretty drastic and it is not normally my style.
However it may be appropriate in this case.
All of those bounce messages come from open relays, while they
are actively sending spam. If I could run an effective DOS on them,
then the spammer who is sending the spam would find his
productivity gets hit quite hard. Maybe he will notice and then
choose to forge somebody elses address... which will make my
problem go away. The DOS should only be invoked on servers
sending bounce messages to the non existant address.
Does anybody know of "Teergrube" patches for qmail, or exim.
Has anybody tried this before. What resources do I have to have
available on my end to sink the other server without sinking my own?
Can anybody help I got another 35 bounces in the time it took to
write this!
Thanks
Ian
-
Ian Forbes ZSD
http://www.zsd.co.za
Office: +27 +21 683-1388 Fax: +27 +21 64-1106
Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa
-
Http server with authenticated user suexec cgi's
Hi All I have been playing with scripts to implement some "intranet functions" via a webrowser cgi interface. However I quicky run into a problem with all cgi scripts running with a single uid/gid (normally that of the apache server). To make things work, I must give the httpd server user more rights than I want to (or make the cgi's suid root). What I am looking for is an httpd server + session manager that will: - Serve a default login page. - Authenticate a user via the system password files. - Setup a session for that user and keep track of that session. - Set the uid/gid of all cgi's launched on behalf of that user, to be the uid/gid of that user. The idea is to be able to write simple cgi's to do things like modify a ".forward" file, or connect to a database with that user's gid/uid. Has anybody been down this road before? One idea, I notice that the ftp server always runs with the uid of the user, once the user has been authenticated. I wonder if one could use an ftp server to launch cgi scripts? Would the browser still display the resulting html correctly? Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: Http server with authenticated user suexec cgi's
Hello Dustin On 2 Apr 2003 at 8:07, Dustin Douglas wrote: > I don't know of anything that does everything that you want, but a > good starting point might be the apache suexec docs. For apache 1.3.x > they can be found at http://httpd.apache.org/docs/suexec.html > > Implementing the desired functionality is left as an exercise to the > reader. Apache suexec will not do this. This runs the cgi scripts with the uid of the "owner" of the website, where there are many websites with many "owners" on the same server. I am looking for a system to run the cgi scripts with the uid of the authenticated user. Ie, one server, one web site, many system users each running the cgi's with their own uid. This is the same security situation as a user logging in via a telnet prompt and running system utilities like "ls" or "vi". Except I want the user to login via a web page and run cgi's to make things more user friendly. Regards Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Bad Blocks in IDE software Raid 1
Hello All I have had a number of cases with disk's reporting as "failed" on systems with IDE drives in software RAID 1 configuration. I suppose the good news is you can change the drive with minimal downtime and no loss of data. But some of my customers are querying the apparent high failure rate. As far as I know, with modern IDE drives the formated drive includes spare blocks and the drive firmware will automatically re-map the drive to replace bad blocks with ones from the spare space. This all happens transparently without any feedback to the system log files. Can somebody confirm that the above is true? This would imply that bad blocks on one drive in an array are mapped out by the firmware, until a point is reached where there are no spare blocks on that drive. Further bad blocks would result in disk errors and the drive would be "failed" out of the array. The ext2 file system also handles mapping out of bad blocks. These can be detected during the initial formating of the drive, or during subsequent fsck runs. Can somebody confirm that this is true? Can ext2 file systems actively map out bad blocks during normal operation? Finally, if an ext2 filesystem is mounted on a Linux software raid1 device, and a file system error occurs, will a portion of that device be mapped out as a bad block, or will one of the drives be "failed" out of the array? If ext2 maps out a bad block, I assume the same block on both the good and bad drives gets mapped out. If one of the drives is "failed" it would explain why the failure rate on raid drives seems higher than that in single drive machines. ie Raid fails the drive, while in a single drive machine ext2 caries on, hiding the problem from the end user who is not watching the log files. All input would be appreciated. Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: Bad Blocks in IDE software Raid 1
Hello Russell On 15 Apr 2003 at 20:21, Russell Coker wrote: > If you do a write and something goes wrong then the data will be re-mapped. > I > don't know how many (if any) drives do "read after write" verification. If > they don't then it's likely that an error will only be discovered some time > later when you want to read the data (and this can happen even if the data is > verified). > Then the drive will return a read error. If you then write to the bad block > the drive will usually perform a re-mapping and after that things will be > fine. > If using software RAID then a raidhotadd operation will usually trigger a > re-mapping on the sector that caused the disk in question to be removed from > the array. Am I correct in assuming that every time a "bad block" is discovered and remapped on a software raid1 system: - there is some data loss - one of the drives is failed out of the array I assume there are repeated attempts at reading the bad block, before the above actions are triggerd. Hopefully these will trigger remapping at the firmware level before the above happens. Do you think there would be any benefit gained from "burning in" a new drive, perhaps by running "fsck -c -c", in order to find marginal blocks and get them mapped out before the drive is put onto an array? What about doing this on a aray drive that has "failed" before attempting to remount it with "raidhotadd". Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: Bad Blocks in IDE software Raid 1
Hello Russell On 18 Apr 2003 at 17:26, Russell Coker wrote: > On Thu, 17 Apr 2003 18:48, I. Forbes wrote: > > Do you think there would be any benefit gained from "burning in" a > > new drive, perhaps by running "fsck -c -c", in order to find marginal > > blocks and get them mapped out before the drive is put onto an array? > Maybe. > > What about doing this on a aray drive that has "failed" before > > attempting to remount it with "raidhotadd". > Generally such a "burn-in" won't achieve any more benefit than just doing a > new raidhotadd. Although it has worked once for me and is something to keep > in mind. I tried this with a drive that had been faulted out of an array. I ran "fsck -c -c" on it before I ran "raidhotadd". The drive is one that I has given trouble in the past. It took a long time for the "fsck" to completed (about 24 hours) but the drive might not have had dma active at the time. In this instance it did not help. The drive has faulted out again after about a weeks operation. It seems this device is on a slow inevitable slide to total failure. I have done a "raidhotadd" again, but I think I must organize a new drive. Regards Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: Debain installed exim BIG TROUBLE
On 5 May 2003 at 16:11, Emmanuel Lacour wrote: > On Mon, May 05, 2003 at 03:27:32PM +0200, Gregory Machin wrote: > > where does debian launch exim from cause when i telnet in exim is running > > but not visable under ps -ef ?? > Because by default, exim is running in standalone under debian. Just run > > update-inetd --disable smtp > /etc/init.d/exim start Having done this on a few boxes, I noted one slight problem with the the permissions of files in /var/spool/exim/db/. When exim is running as a daemon, these should be owner "mail", group "mail". When it is running from inetd they seem to be have owner "root". When you change from inetd to daemon the old files hang around with root ownership and do not get deleted or updated. This does not stop exim from working, but it could in theory slow things down. The db files are "hint" files designed to improve performance. Without them exim reverts to a "fail safe" mode. If they have the wrong permissions, stop exim, delete the contents of /var/spool/exim/db/ and restart exim. The db files will be rebuilt automatically with the correct ownership. Perhaps this should be submitted as a bug. Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Announce: pyscan 0.3 antivirus filter released
Hello All To those who may be interested. I have released an update to my "pyscan" antivirus filter. It is available from http://www.zsd.co.za/~ian/software/pyscan This release is a bug fix release which sorts out a few outstanding issues. Pyscan is a filter system written in python. It filters e-mail based on the Mime content headers. It does not make use of a database of known virus signatures, nor does it require any commercial software. Pyscan can reject an e-mail, or rename the attachment to prevent inadvertent execution, depending on the name of the file extension and the validity of the mime header information. It also sends notification of its actions to recipients and senders. Pyscan was written and tested using Exim ver 3.3 on a "Debian woody" system. Although it should be possible to use it with Exim on any platform that supports Python. Use with other MTA's may also be possible, I have not looked into that. It is open source software released under GPL licence. Ian Forbes - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Sharing ppp conections without chanel bundling
Hi All I am looking that the posibility sharing traffic through two pppoe conections without chanel bundling. I want to use a linux box as a NAT router, but the outgoing ip's must be shared in "round-robin" fashion between two ppp interfaces. Obviously each tcp connection will be linked to one outgoing ppp interface (eg ppp0). But the next one should pickup the next ppp interface (ppp1) etc. Thus each ppp conection should provide a default route. Can Linux kernel + iptables handle something like this? Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
Re: SSH access restrictions
Hello Rudi On 18 Oct 2003 at 11:23, Rudi Starcevic wrote: > Is there anyway to resistict a non-root user's shell account ? > > For example once he/she is logged in is there any way to deny, say, > reading the /etc/passwd file ? We have a set-up that uses "rbash". The client gets "rbash" as a login shell and his path is preset to a directory that has a few chosen executables in it. (In our case this is not much more than rsync). I suspect a determined hacker could get around this, but it discourages most abusers. Regards Ian -- Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa
Re: SSH access restrictions
Hello Rudi On 21 Oct 2003 at 22:58, Rudi Starcevic wrote: > Though I'd post something I found on the net about rbash. > I haven't tested it yet. > > [quote] > > But it's possible to get out from this chroot. > > woockie_at_twoflower:~$ cd .. > rbash: cd: restricted > woockie_at_twoflower:~$ vi foo > > in vi: > :set shell=/bin/sh > :shell > woockie_at_twoflower:~$ cd .. > woockie_at_twoflower:/home$ > > [end quote] > It's disappointing if it's that easy. > Still if they do get out and misbehave you could catch them > with monitoring. Our rbash shells don't have access to vi ... or much else! Their path is set to "/usr/local/lib/rbash-bin/" and that directory has sym-links to a few selected binaries. Still I don't regard the rbash setup as secure. Regards Ian -- Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa
Suggestion for Mail Archiving Software
Hello All Has anybody get experience with and/or suggestions for mail archiving software. I want copies of all mail arriving at certain addresses (sales, info, abuse etc) to be fed into an archive. Ideally it should have the following features: - The archive should be accessible by a web or perhaps IMAP interface. - It should be rotated say once a month. - The archive files themselves should be compressed. There are lots of mailing lists which get archived, so there should be a number of programs to choose from. Any suggestions? Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: VPN recomendations
Hello All Tunnelv is a userland package that works via the ethertap device. It is quite neat and totally secure. But it has a bug that conflicts with diald. Diald will also use the ethertap device if the kernel supports it. The bug is that both packages insist on using the first device "tap0" - at the same time. I could not find an easy solution to make one of them use "tap1" - I must still file a bug report. Also the debian (potato) package is a bit lacking in scripts for starting and stopping the daemon. You will need to put together some clever stuff to put in /etc/init.d/tunnelv (which is not in the package) and maybe in /etc/ppp/ip-up and /etc/ppp/ip-down on the other end. I suppose it all depends on what kind of network you are working on. Ian Forbes On 14 Sep 2000, at 10:09, Werner Fleck wrote: > I am using Tunnel Vision (http://www.worldvisions.ca/tunnelv/) for 18 months > now. It is easy to configure and it works very reliable. And there is a > debian package "tunnelv". > > Werner > > > -Original Message- > > From: Kim O [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, September 14, 2000 7:42 AM > > To: [EMAIL PROTECTED] > > Subject: VPN recomendations > > > > > > was just wondering what the best way is to do VPN between > > linux servers in > > different places to establish a small private network over public > > infrastructure. packages,software or howtos appreciated. > > > > thanks > > > > Kim > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: VPN recomendations
Hello Werner No it is not that simple. Tunnelv counts its own tunnels and assigns tap devices accordingly, but it insists on starting with "tap0", even when that device is already being used by diald. Diald should also work with multiple instances on the same server. I assume it can also sort out its own "tap" devices. (But I have never tried it). Neither diald nor tunnelv has an option where I can specify a specific "tap" device for a specific instance of the program. Anybody out there who can help, I would be interested to here. Otherwise is it possible to setup a tunnel with pptpd? I think I will try that one next. Regards Ian On 14 Sep 2000, at 13:25, Werner Fleck wrote: > May be it's a problem of diald -- I have a production system with three > simultaneous tunnel vision vpns running on tap0, tap1 and tap2. > > Werner > > > -Original Message- > > From: I. Forbes [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, September 14, 2000 12:54 PM > > To: [EMAIL PROTECTED] > > Subject: RE: VPN recomendations > > > > > > Hello All > > > > Tunnelv is a userland package that works via the ethertap device. It > > is quite neat and totally secure. > > > > But it has a bug that conflicts with diald. Diald will also use the > > ethertap device if the kernel supports it. The bug is that both > > packages insist on using the first device "tap0" - at the same time. > > I could not find an easy solution to make one of them use "tap1" - I > > must still file a bug report. > > > > Also the debian (potato) package is a bit lacking in scripts for > > starting and stopping the daemon. You will need to put together > > some clever stuff to put in /etc/init.d/tunnelv (which is not in the > > package) and maybe in /etc/ppp/ip-up and /etc/ppp/ip-down on the > > other end. I suppose it all depends on what kind of network you > > are working on. > > > > Ian Forbes > > > > > > On 14 Sep 2000, at 10:09, Werner Fleck wrote: > > > > > I am using Tunnel Vision > > (http://www.worldvisions.ca/tunnelv/) for 18 months > > > now. It is easy to configure and it works very reliable. > > And there is a > > > debian package "tunnelv". > > > > > > Werner > > > > > > > -Original Message- > > > > From: Kim O [mailto:[EMAIL PROTECTED]] > > > > Sent: Thursday, September 14, 2000 7:42 AM > > > > To: [EMAIL PROTECTED] > > > > Subject: VPN recomendations > > > > > > > > > > > > was just wondering what the best way is to do VPN between > > > > linux servers in > > > > different places to establish a small private network over public > > > > infrastructure. packages,software or howtos appreciated. > > > > > > > > thanks > > > > > > > > Kim > > > > > > > > > > > > -- > > > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > > > with a subject of "unsubscribe". Trouble? Contact > > > > [EMAIL PROTECTED] > > > > > > > > > > > > > -- > > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > > > > > > > > > - > > Ian Forbes ZSD > > http://www.zsd.co.za > > Office: +27 +21 683-1388 Fax: +27 +21 64-1106 > > Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa > > - > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Dial-on-demand only works once for a client of the linux-PC
Hello Piet On 1 Dec 2000, at 13:29, Piet Knoester wrote: > A reboot of the linux router gives the windows98-pc again exactly > one possible activation of the dial-on-demand function on it. > I have struggled for a week now and also taken another Compaq and > thus a new install but same problem. Can anyone give me a > hint I have had a similar problem using "isdn-utils" and "diald" in combination. My problem was some scripts that the isdn-utils package installed in the /etc/ppp/ip-up/ and /etc/ppp/ip-down/ directories. These messed up the routes after the first call had been placed. Have fun! Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Deploying Reiser FS
Hello All I am considering deploying Reiser FS on partitions in a couple of our productions servers. These servers run Debian "potato", currently with 2.2.17 kernels. These systems are in production and running sweetly, and I would like to change as little as possible. I plan on using the partitions for "maildir" mailboxes for serving via Courier IMAP. Mail will be delivered into the maildirs via exim, maildrop, courier imap and courier sqwebmail. I have this running on ext2 at the moment but with more than a few hundred messages in a mailbox we get performance problems. Hence I would like to try Reiser FS. I have had a look at the Reiser web site. It seems there is a grey area regarding qmail, relating to the way that qmail manages its queue. Will this problem apply to deliveries to "maildir" mail directories, using the standard maildir delivery algorithm? Are there any suggestion or problems for patching a debian 2.2 kernel and building the required utilities? >From the web site it seems that it would be a good idea to avoid nfs mounts on the Reiser partition for the mean time. Any comments on this? Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: unusal fetchmail error
Hello Kozman On 24 Jan 2001, at 12:04, Kozman Balint wrote: > The problem is with fetchmail: sometimes when it gets defunct after > downloading messages, it becomes a Zombie, and some minutes later when the > new instance of fetchmail comes up, it stops working 'cos "another > fetchmail is running in background" and this way users don't get their > mails. I have seen something similar. I ended up putting "killall fetchmail" in the diald ip-up script, for our sites that insist on using fetchmail. This script is called when the server was "off-line" and goes "on- line". The dial-up is on a dynamic IP, so even if there was a fetchmail process hanging around trying to suck mail from somewhere I don't think it could be achieving anything useful at this stage. Anyway it got rid of the stuck downloads. This is a terrible hack. The problem should be sorted out within fetchmail (if it has not been done already), but I never bothered to look at it as we do not normally use POP3/fetchmail. We prefer uucp for our intermittently connected mail servers. If the bug has been fixed, can somebody let me know from which version of the *.deb file was it sorted out. I would like to get rid of that hack one day. Ian Forbes - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Compiling bind_8.2.3-0 for slink
Hello All I am trying to compile the latest "bind" on a slink system. (It is a production system that I don't wish to upgrade right now, and I am also not happy running the old vulnerable version ...) The compilation bombs out with the following message: make[3]: Entering directory `/home/ian/dev/bind/bind- 8.2.3/src/bin/addr' gcc -D_GNU_SOURCE -I../../port/linux/include -I../../include -O -g -c addr.c gcc -D_GNU_SOURCE -O -g -o addr addr.o \ ../../lib/libbind.a -lfl ld: cannot open -lfl: No such file or directory make[3]: *** [addr] Error 1 make[3]: Leaving directory `/home/ian/dev/bind/bind- 8.2.3/src/bin/addr' make[2]: *** [addr] Error 1 make[2]: Leaving directory `/home/ian/dev/bind/bind-8.2.3/src/bin' make[1]: *** [all] Error 1 make[1]: Leaving directory `/home/ian/dev/bind/bind-8.2.3/src' make: *** [build-stamp] Error 2 I assume it is looking for some library that I do not have, or it does not like slink's libc, or gcc. However I don't know too much about this. Does anybody have any suggestions as to what is causing this. Or alternatively, does anybody know of a (reputable) slink version, *.deb binary file that I can download ? (I am also looking for the latest proftpd and openssh, compiled for slink). Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Compiling bind_8.2.3-0 for slink
Hello Russell On 6 Mar 2001, at 8:09, Russell Coker wrote: > Isn't there a security update for that? There is, but the update has not been released for slink, just potato, thats why I needed to recompile it. > > The compilation bombs out with the following message: > > > > make[3]: Entering directory `/home/ian/dev/bind/bind- > > 8.2.3/src/bin/addr' > > gcc -D_GNU_SOURCE -I../../port/linux/include -I../../include -O -g -c > > addr.c gcc -D_GNU_SOURCE -O -g -o addr addr.o \ > > ../../lib/libbind.a -lfl > > ld: cannot open -lfl: No such file or directory > > make[3]: *** [addr] Error 1 > > make[3]: Leaving directory `/home/ian/dev/bind/bind- > > 8.2.3/src/bin/addr' > > make[2]: *** [addr] Error 1 make[2]: Leaving directory > > `/home/ian/dev/bind/bind-8.2.3/src/bin' make[1]: *** [all] Error 1 > > make[1]: Leaving directory `/home/ian/dev/bind/bind-8.2.3/src' > > make: *** > > [build-stamp] Error 2 > > > > I assume it is looking for some library that I do not have, or it does > > not like slink's libc, or gcc. However I don't know too much about > > this. > > Grepping Contents.gz suggests that libfl.a is in package "flex"... Thanks, that the clue I needed. For the record in addition to "flex", I had to install "bison" and "mmv", on top of what I had there already. But this was only the beginning. The thing compiled but dpkg- buildpackage bombed out because it was trying to install things into directories such as "debian/bind-dev/usr/share/man" in the build directory hierarchy - which did not exist. Trying to add them manually did not seem to help, then I added a whole lot of directories to the lists in debian/dirs, debian/bind-dev.dirs etc. This also did not work. Then I copied the contents of /usr/sbin from the potato version of the "debhelper" package into /usr/local/sbin and started making progress again. (Perhaps I could have installed the new "debhelper" - I was not brave enough to try that). There was still one more hiccup. "dh_fixperms" bombed out because it was trying to use "chown --no-dereference" - which works on potato but not slink. (Funny thing is the original slink version of dh_fixperms also bombed out - it contains the same code ..). I edited out the "--no-dereference" option in the perl code for that script and I finally got a working *.deb package. If anybody wants a copy of it, e-mail me. I think my package is a bit to "alpha" to put up on an ftp server (version no's etc will probably break on an upgrade). When you install it you still get major complaints about how the whole installation must be fixed up manually to make it work. (I have done that part dozens of times over now - I think I could have re-written the installation script by now). The thing takes longer than a kernel to compile (well it felt longer) and it has been keeping the cpu in my old slink server rather warm for the last day or two.. I think I must take some time off to read the "Packaging" manual, as I must still do proftpd and openssh ... Cheers Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Compiling courier on potato
Hello All As as follow up to recent discussions on compiling debs on "old" releases: I am running the latest Courier IMAP + POP3 on Potato. I am also planning on installing Sqwebmail (which I have managed to compile). But all of this is compiled from source and installed under /usr/local/ I was looking at the unstable debian package for Courier, courier_0.31.1-2.dsc. Build-Depends: libmysqlclient10-dev, libpam0g-dev, libdb2-dev, libperl-dev, debhelper (>= 1.1.17), mime-support The libmysqlclient and debhelper are newer than those on potato, and I cant find "libperl-dev". What chances are there to get this to compile on potato, or should I just stick with the source distribution? Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 +21 683-1388 Fax: +27 +21 64-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
